{"id":7751,"date":"2017-05-24T05:31:00","date_gmt":"2017-05-24T13:31:00","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/24\/news-1536\/"},"modified":"2017-05-24T05:31:00","modified_gmt":"2017-05-24T13:31:00","slug":"news-1536","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/24\/news-1536\/","title":{"rendered":"Ztorg Trojan: Infect yourself for 5 cents"},"content":{"rendered":"

Credit to Author: John Snow| Date: Wed, 24 May 2017 13:00:04 +0000<\/strong><\/p>\n

A lot of ads on the Internet promote easy ways to earn money. They tend to lead to fishy places \u2014 say, a post from an alleged mother of three who stays at home, earning several thousand dollars a day, and says you can do the same. But there are other ways to earn some easy money, too, that may seem much more plausible.<\/p>\n

\"Don't<\/a> <\/p>\n

For example, some services offer to pay you for installing apps. The money amounts to pocket change \u2014 about 5 cents per app \u2014 but the work is pretty effortless, so some people find it attractive nonetheless. This kind of scheme is especially popular among children \u2014 install 50 apps and get a $2.50 to buy some gear for your favorite character in an online game.<\/p>\n

The Google Play app store has quite a few applications that are in fact app exchanges. You download one of those, install it, see a list of apps for which you can get paid, download a couple of those on the list, install them, play a couple of minutes \u2014 and profit!<\/p>\n

That looks rather mundane \u2014 even legitimate. Indeed, many software developers place a high value on the number of app downloads, and such a scheme increases that number, even if it isn’t exactly honest. No wonder developers are willing to pay for it. There doesn’t seem to be a catch \u2014 or is there?<\/p>\n

Money for nothing, malware for free<\/h2>\n

Of course there is \u2014 otherwise, why would we write about it? It turns out that, among other things, such app exchanges may urge you to download malware, in particular the infamous Ztorg Trojan<\/a>. That’s the Trojan downloaded from Google Play 500,000 times disguised as a guide for the popular game Pok\u00e9mon Go<\/a>.<\/p>\n

Guide for Pok\u00e9mon Go is not the only app containing Ztorg. Roman Unuchek, the Kaspersky Lab expert who discovered Ztorg in the app, explored the applications distributed via these exchanges for several months<\/a>. He found out that every month new apps appeared that were in fact just a disguise for Ztorg.<\/p>\n

What Ztorg actually does<\/h3>\n

All of these applications have two things in common. First, their download numbers increase rapidly \u2014 by tens of thousands per day. Second, if you look at their user reviews in the Google Play store, many mention that people downloaded those apps for money, credits, bonuses, or something like that.<\/p>\n

\"One<\/a> <\/p>\n

The Ztorg Trojan hasn’t changed. After installation, it collects information about the system and the device and sends it to the command-and-control (C&C) server. The server responds with files that enable the malware to gain root access to the device, after which crooks have the freedom to do whatever they want: show ads, download other Trojans, whatever.<\/p>\n

Ztorg also spreads through ads. You click on a banner and download the app, install it, and get infected. Very easy!<\/p>\n

What’s interesting is that Ztorg shows its victims ads from the very same networks through which it spreads itself. The networks are legitimate; many other applications use them to try to monetize themselves. It’s just that the networks’ security guys missed the important point that they were advertising malware.<\/p>\n

To be fair, Ztorg’s developers hid the malicious functionality, and it is not evident when studying the app. For example, Ztorg evaluates its environment and won’t run in a sandbox (a test environment).<\/p>\n

Most malvertising banners do not link directly to the app download page but rather take users to a page that redirects to another page, which redirects to another page, and then to another page. Unuchek counted up to 27 such redirects before finally getting to the download. Moreover, the app can delay downloading malicious files from the C&C server for up to 90 minutes \u2014 by that time a tester would probably have decided that the app wasn’t doing anything malicious.<\/p>\n

Actually, obfuscation is exactly the trick that was getting the malicious applications into the official Google Play store for a year and a half. Other Trojans lurk in there as well \u2014 we’ve already covered that topic<\/a> (more than once) \u2014 so you should not blindly trust all applications from this or any store.<\/p>\n

The moral<\/h3>\n

How can you avoid becoming a victim of such attacks and letting scammers into your phone? We have two tips for you:<\/p>\n