Malware hidden in Google Play steals money through SMSs


Johannesburg - Cybercriminals are now trying different ways to get their malware past security. The latest of these is to install malicious code in stages by wrapping a Trojan SMS around an encrypted rooting Trojan.

The determination of attackers to infect Android devices with Ztorg malware through the Google Play Store shows no signs of slowing down, with criminals constantly adapting their tools and techniques to avoid discovery. 

The attackers use the Ztorg-Android malware Trojan SMS to make money from victims through Premium-rate SMS while they wait to execute the rooting Trojan. 

The apps have been downloaded more than 50 000 times since mid-May 2017, but have now been removed from Google Play.

READ: Cybercriminals focusing on data-rich smartphones

In May 2017, Kaspersky Lab researchers discovered what appeared to be a standalone Ztorg variant, a Trojan SMS. 

On closer inspection, it turned out to contain an encrypted Ztorg rooting Trojan. 

The Ztorg SMS was found in two apps, a browser and a “noise detection” application.

The browser app was uploaded to Google Play on May 15 and never updated – possibly because it was a test run to see if the functionality worked.

The researchers were able to make a more detailed study of the “noise detection” app, uploaded on May 20 and installed more than 10 000 times before being deleted by Google. 

Their analysis suggests the cybercriminals’ ultimate aim was to execute a regular version of the Ztorg Trojan. 

READ: Half of online theft victims get money back - research

But since they had opted for a stage-by-stage approach involving a series of clean and then malicious updates, they added some supplementary malicious functionality to make money while they were waiting to run the rooting malware.

The Ztorg SMS functionality allows the app to send premium rate SMSs, delete incoming SMSs and switch off sound.

“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. 

"Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” said Roman Unuchek, Senior Malware Analyst, Kaspersky Lab. 

Kaspersky Lab advises users to install a reliable security solution on their device, always check that apps have been created by a reputable developer, keep their OS and application software up to date, and not to download anything that looks at all suspicious or whose source cannot be verified.

All Kaspersky Lab products detect the Trojan as Trojan-SMS.AndroidOS.Ztorg.a.

Read Fin24's top stories trending on Twitter:

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For only R75 per month, you have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today.
Subscribe to News24
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Voting Booth
What potential restrictions on unvaccinated South Africans may make the biggest difference to public health, the economy?
Please select an option Oops! Something went wrong, please try again later.
Limited access to restaurants and bars
10% - 62 votes
Limited access to shopping centres
17% - 105 votes
Limited access to live events, including sport matches and festivals
26% - 158 votes
Workplace vaccine mandates
47% - 290 votes