Threat Research: zTorg Trojan Variations

This Threat Research is about two variations of the zTorg mobile trojan recently discovered in Google Play by Kaspersky researcher, Roman Unucheck.

In his blog post, Unucheck described the two variations as “Magic browser” and “Noise Detector”. According to Unucheck, “Magic browser” was uploaded to Google Play on May 15, 2017 and was installed more than 50,000 times. “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.

Additional details of the threat, and how Zimperium zIPS protects devices against it, are included below.

Threat/Attack Description:

• After starting, Trojan connects to its command and control (C&C) server.
• Trojan makes two requests to get both parts of the International Mobile Subscriber Identity (IMSI), MCC (mobile country code) and MNC (mobile network code), to identify the country and mobile operator of the infected user and know which premium rate SMS should be sent.
• Trojan may receive an encrypted JSON file with list of bogus and fraudulent offers carrying a string field called “url”. If the value is a true url, the device owner may be exposed to the offers. If the url carries an “SMS” substring, the user will send an SMS containing the text supplied to the number provided. There is also evidence that urls may open web-pages with WAP billing and steal money from a user’s account.
• To hide these activities the Trojans turn off the device sound and delete all incoming SMS.

zIPS Detection:

zIPS will detect and alert on these malicious apps with an option to delete/uninstall the apps immediately. zIPS will also detect any attempts by the apps to elevate privileges.

Threat level: Medium / Low