Google Play Hit by More Ztorg-Based Android Malware, Says Kaspersky Labs
Google has removed Magic Browser and Noise Detector apps
These apps belonged to the Ztorg Trojan family of Android malwares
Kaspersky researcher spotted these apps and their attack course
In a bid to increase security on its Android platform, Google has reportedly removed more Android apps from its Google Play store for the second time this month. Google has taken strict action against two malicious apps – Magic Browser and Noise Detector – acting as conduits for attackers to remotely ‘root’ control the infected devices after a researcher from Kaspersky Lab pointed out the threat in his report. The Android malware carried by these apps belongs to the Ztorg Trojan family, which is notoriously known for bypassing Google’s safety controls to root infected Android devices.
In a report published on Kaspersky Lab’s Securelist website, senior researcher Roman Unuchek presents extensive analysis on the new Ztorg-based malware. Kaspersky Lab says Ztorg malware bypassed Google’s malware checks almost 100 times since September last year, and the malware family is best known for gaining ‘root’ privileges of infected devices to completely control them. Ztorg apps like Privacy Lock and a false Pokemon Go guide raked in huge download numbers before they were recognised as malicious and deleted from Google Play.
Coming to the current batch of apps, the first one is Magic Browser that pretended to be a Chrome browser alternative in Google Play. It was published on May 15 and had been downloaded over 50,000 times before it was finally removed. The other app is Noise Detector that was meant to allow users to measure the decibel level of sounds and had more than 10,000 downloads before its removal.
Both the apps, as we mentioned, belonged to the Ztorg Trojan family, but didn’t root affected devices before their removal. Unuchek says the app had the Ztorg digital fingerprint, and speculates that the developers may soon have added the root ability if the apps hadn’t been removed.
Unuchek says the Magic Browser app was being used by developers to either test or use malicious text messaging functions. The Magic Browser could send premium text messages to infected phone numbers and leave no traces behind by even deleting the incoming messages and muting the notification sound. “In total, the Magic browser app tries to send SMS from 11 different places in its code. Cybercriminals are doing this in order to be able to send SMS from different Android versions and devices. Furthermore, I was able to find another modification of the Trojan-SMS.AndroidOS.Ztorg that is trying to send an SMS via the “am” command, although this approach should not work,” reads Unuchek’s report.