A mobile malware operation reportedly has been tricking millions of Android device owners into infecting themselves with the Ztorg rootkit trojan by enticing them with offers from both legitimate advertising networks and apps that pay users for installing content.

According to the report, published by Kaspersky Lab on its Securelist blog, some of the most popular Ztorg-infected apps have been downloaded thousands – or even tens of thousands – of times per day. The first of these programs, an app called Privacy Locker that was uploaded to Google Play in December 2015, had racked up a million installations by the time its ulterior motive was discovered.

Roman Unuchek, senior malware analyst at Kaspersky and author of the blog post, reported that he has been tracking the campaign since September 2016, and has found close to 100 Google Play apps infected with Ztorg, including some that were uploaded to the store as recently as April 2017. SC Media has contacted Google for comment.

During his investigation, Unuchek learned that the Ztorg apps have two methods of distribution: The first is via the abuse of advertising networks – primarily Yeahmobi, Mobvista, Avazu, and Supersonicads – to promote the fake apps. The second method of distribution is through “money-making” apps that offer to pay users four or five cents if they install other programs. “It turned out that some users got paid a few U.S. cents for infecting their device, though they didn't know it was being infected,” wrote Unuchek in his blog post.

Not all of the secondary apps advertised on these money-making programs are infected with Ztorg – in fact, Unuchek found some to be perfectly clean – and it is unclear exactly what kind of relationship, if any, the developers of these programs have with Ztorg's distributors.

As explained in an earlier Kaspersky blog post that focused on an infected Pokemon Go app, Ztorg is designed to communicate device information to C2 server, execute root exploit packs and enable the implementation of additional malicious modules and apps.