The Ztorg malware hid in apps on Google’s Play Store to send premium-rate SMS texts and delete incoming SMS messages on Android devices. The apps, called “Magic Browser” and “Noise Detector,” have a combined total of 60,000 user installations. What’s interesting about these apps is that they don’t conceal Ztorg in its traditional device-rooting form. Instead they hide an SMS-based version of the threat.
After a user installs them, the apps wait 10 minutes before connecting to their command-and-control (C&C) server. They then make two GET requests, the first of which includes the first three digits of the Android device’s International Mobile Subscriber Identity (IMSI). If the trojan receives data from the server, it responds with its second GET request containing the first five digits of the IMSI.
The second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.
Following these requests, the trojan receives a JSON file of “offers” carrying a string field called “url.” Some of these “url” fields actually contain a URL, in which case Ztorg displays content to the user. In the event the field carries a “SMS” substring, it sends an SMS message to the number provided, turns off the device sound, and starts blocking all incoming SMS text messages.
It means that these Trojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and steal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all incoming SMS.