A researcher with Kapersky managed to help uncover two new apps in the Ztorg malware family, but these new ones take a far less direct approach to compromising a user’s device, which kept them from being discovered longer than their contemporaries. The apps in question were Magic Browser and Noise Detector, and both have since been removed from the Play Store, though it’s entirely possible that others may be lurking. The two apps were somewhat popular, with Magic Browser amassing over 50,000 downloads, while Noise Detector got over 10,000. The only real trace a Ztorg malware app will leave on a device is showing unwelcome ads at random, and silencing a device in order to use the SMS function in secret.
The core of the Ztorg malware in this case was not aimed at rooting a device, but at controlling its SMS function and contacting a remote server. Essentially, the app will seize control of a user’s SMS messaging system through either exploits or seemingly unrelated permissions. It also contacts a control server for instructions. The control server then tells it whether to open WAP billing URLs that will subscribe a user to paid services, send out paid SMS messages, download apps from the Play Store, display advertisements, or do all of the above, depending on the device and how much access the trojan has. Magic Browser had SMS functionality out of the box, but Noise Detector was updated little by little to add in the malicious functionality. A clean version hit the Play Store first, and when it eventually built up to using root exploits known from the previous Ztorg apps, it caught the attention of researchers and Google.
If you were victimized by Ztorg in this form, the fraudulent charges will show up on your carrier bill, so you’ll have to dispute the charges with them. The malware’s power essentially begins and ends with netting a user fraudulent charges and showing ads; it doesn’t aim to turn a user’s device into a member of a botnet, steal privileged information, or do any of the other nasty things that malware normally does. Such malware is usually caught by Google’s Verify Apps function, but that’s not a guarantee of safety. Still, keeping your app downloading strictly to the Play Store is your best bet for staying safe from malware like this. Presumably, Ztorg apps using previous versions or fully functional versions of the malicious code are still out there on the web, but have reportedly been found and removed from the Play Store.