Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Worth it? Android users make $0.05 profit infecting themselves with Ztorg trojan

A mobile malware operation reportedly has been tricking millions of Android device owners into infecting themselves with the Ztorg rootkit trojan by enticing them with offers from both legitimate advertising networks and apps that pay users for installing content.

According to the report, published by Kaspersky Lab on its Securelist blog, some of the most popular Ztorg-infected apps have been downloaded thousands – or even tens of thousands – of times per day. The first of these programs, an app called Privacy Locker that was uploaded to Google Play in December 2015, had racked up a million installations by the time its ulterior motive was discovered.

Roman Unuchek, senior malware analyst at Kaspersky and author of the blog post, reported that he has been tracking the campaign since September 2016, and has found close to 100 Google Play apps infected with Ztorg, including some that were uploaded to the store as recently as April 2017. SC Media has contacted Google for comment.

During his investigation, Unuchek learned that the Ztorg apps have two methods of distribution: The first is via the abuse of advertising networks – primarily Yeahmobi, Mobvista, Avazu, and Supersonicads – to promote the fake apps. The second method of distribution is through “money-making” apps that offer to pay users four or five cents if they install other programs. “It turned out that some users got paid a few U.S. cents for infecting their device, though they didn't know it was being infected,” wrote Unuchek in his blog post.

Not all of the secondary apps advertised on these money-making programs are infected with Ztorg – in fact, Unuchek found some to be perfectly clean – and it is unclear exactly what kind of relationship, if any, the developers of these programs have with Ztorg's distributors.

As explained in an earlier Kaspersky blog post that focused on an infected Pokemon Go app, Ztorg is designed to communicate device information to C2 server, execute root exploit packs and enable the implementation of additional malicious modules and apps.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.