Ztorg: money for infecting your smartphone


This analysis started after we revealed an contaminated Pokémon GO information in Google Play. It was there for a couple of weeks and used to be downloaded greater than 500,000 occasions. We detected the malware as Trojan.AndroidOS.Ztorg.ad. After some looking out, i found any other similar infected apps that had been being allotted from the Google Play store. the primary of them, called privacy Lock, was once uploaded to Google Play on 15 December 2016. It was once probably the most in style Ztorg changes, with greater than 1 million installations.

After I started tracking these infected apps, two issues struck me – how impulsively they became in style and the feedback within the user overview sections.


These contaminated apps fast turned into highly regarded, gaining hundreds of new customers every day!

as an example, com.fluent.led.compass had 10,000–50,000 installations the day i found and reported it to Google.

Ztorg: money for infecting your smartphone

however, it still wasn’t deleted from Google Play the next day and the selection of installations elevated tenfold to 100,000–500,000. It method there were at least 50,000 new infected customers in the area of just in the future.


there have been numerous comments announcing that people downloaded these apps for credits/cash/and many others.

Ztorg: money for infecting your smartphone

Ztorg: money for infecting your smartphone

Ztorg: money for infecting your smartphone

In some of these comments the customers mentioned other apps – Appcoins, Advertapp, and many others.

That’s where this newest research work began.


Apps that pay customers

The app talked about most in the comments used to be Appcoins, so I put in it. After that, the app triggered me to install every other apps, including one who used to be malicious, for $ 0.05.

Ztorg: money for infecting your smartphone

To be trustworthy, I used to be shocked that only one was malicious – the entire other apps had been easy.

The funny factor is that they take a look at for root rights on the tool and don’t pay those who have them. And the first thing that Ztorg did on the device after an infection started used to be to get superuser rights.

I contacted the Appcoins builders to try and find out where this malicious promoting provide came from, but they deleted the offer and answered me via pronouncing there was no malware and that that they had completed nothing flawed.

Then I analyzed the apps installed with the aid of infected users and made an inventory of the most well-liked ones that paid customers to put in instrument:

Ztorg: money for infecting your smartphone



Ztorg: money for infecting your smartphone



Ztorg: money for infecting your smartphone


https://play.google.com/store/apps/small print?identification=com.moneyreward.fun

and of course they supplied malware too:

Ztorg: money for infecting your smartphone

Ztorg: money for infecting your smartphone

All these offered users zero.04-zero.05 USD for installing an app infected with Ztorg from Google Play.


So I made up our minds to take a more in-depth have a look at these deals and the dumped visitors for these apps.

a standard session through which an promoting app turned into a malicious one used to be as follows:

  1. App receives bargains, including malicious ones, from its server (as an instance, moneyrewardfun[.]com). Malicious deals are sent from neatly-identified advert products and services (frequently supersonicads.com and aptrk.com).

  2. After just a few redirections from advert provider domains (in a single case there have been 27 redirections) the app goes to global.ymtracking.com or avazutracking.web. These URLs are related to the advertisements too.

  3. Then it redirects to trace.iappzone.internet.

  4. And the final URL that leads to the Google Play retailer was app.adjust.com.

all of the deals that I used to be in a position to dump had monitor.iappzone.web and app.regulate.com.

modify.com is a well known “business intelligence platform”; the URLs which are used in malicious campaigns look like this:


by means of analyzing these URLs we are able to identify infected apps on Google Play.

Malicious server

URLs from iappzone.web look like this:

http://track.iappzone.internet/click on/click?offer_id=3479&aff_id=3475&campaign1002009&install_callback=http://monitor.supersonicads.com/api/v1/processCommissionsCallback.php?advertiserId=85671&password=540bafdb&dynamicParameter=dp5601581629793224906

This URL construction (offer_id=..&aff_id=..&campaign=..) is expounded to the OffersLook tracking system. It incorporates many attention-grabbing things, like provide identity, affiliate identity. however it turns out that cybercriminals use completely different values for them, making these parameters unusable for us. except one – install_callback. This parameter incorporates the title of the ad provider.

whereas searching for iappzone.internet I used to be in a position to find some APK files that contained this URL. All of these files are detected via Kaspersky Lab merchandise as Ztorg malware. The fascinating factor was once that iappzone.net used the IP the identical IP used to be utilized by aedxdrcb.com, which was mentioned in CheckPoint’s gooligan file. just a few weeks after that report was once made public, iappzone.net (which wasn’t mentioned within the report) was once moved to a brand new IP – 139.162.57.forty one.

advert modules

fortunately I was once ready to search out iappzone.web no longer handiest within the APK recordsdata but also in network traffic from clean apps. All these apps had an merchandising module – Batmobi or Mobvista generally. network traffic from these ad modules regarded similar to the network site visitors from the apps that paid customers to install promoted apps.

right here is an example of an app with a Batmobi ad module. The module got a JSON file with offers from their server api2.batmobil.internet.

Ztorg: money for infecting your smartphone

The person sees an inventory of advertised apps:

Ztorg: money for infecting your smartphone

After the consumer clicks on the ads, they’re redirected to the Google Play retailer.

Ztorg: money for infecting your smartphone

on this case, the redirects appear to be this:

api2.batmobil.net -> global.ymtracking.com->tracking.acekoala.com -> click on.apprevolve.com ->monitor.iappzone.web ->app.alter.com -> play.google.com

After analyzing ad campaigns containing iappzone.net, I was able to seek out virtually 100 contaminated apps being promoted on Google Play.

the other fascinating facet of these campaigns used to be that their URLs contained the install_callback parameter that i mentioned previous. seems the cybercriminals simplest used 4 ad networks.

ad sources

track.iappzone.web callbacks

Yeahmobi (international.ymtracking.com) forty one%
Mobvista (next.mobvista.com) 34%
Avazu (postback.apx.avazutracking.internet) 18%
Supersonicads (monitor.supersonicads.com) 7%

alternatively, this doesn’t imply that malware used to be handiest being distributed through these four networks. These advert networks are selling their ads to a variety of merchandising corporations. In my research, I noticed some malicious commercials coming from other promoting networks like DuAd or Batmobi, but after a few redirects these commercials had been always pointing to one of the four advertising networks listed above.

furthermore, I tracked a number of malicious advert campaigns that gave the impression of this:

Batmobi -> Yeahmobi-> SupersonicAds

this means that that these networks additionally redistribute commercials to each other.

I wasn’t in a position to find every other ad networks within the install_callback parameter except the end of March 2017.

different sources

during my analysis i found some infected apps that weren’t promoted by these advertising networks. after I checked out their detection paths i found that there have been a few patterns to them. lots of the paths the place these apps have been detected (apart from the installation course /data/app) have been as follows:


I analyzed the apps the usage of these paths and revealed that every one of them are already detected by Kaspersky Lab merchandise as spyware and adware or malware. however, the apps downloaded to those folders aren’t all malicious – most of them are easy.

Folder’s identify kind Detection %*
DownloadProvider Malware 81%
TF47HV2VFKD9 Malware 56%
snowfoxcr spy ware 51%
nativedroid Malware forty eight%
.walkfree spy ware 33%
ceroa adware 20%
sysAndroid Malware 16%
.googleplay_download Malware 15%

* Malicious apps that were downloaded to a specific folder as a share of all apps in that folder.

infected apps

similar apps

all of the infected apps that I analyzed surprised me in that they don’t appear to be they have been patched with malware code. in many different instances, cybercriminals simply add malicious code to clean apps, but not on this case. looks as if these apps had been created especially for distributing malware.

Publishers from Google Play

one of the publishers’ emails from Google Play:

once I started to seek for them, i found that lots of the emails are related to Vietnam.

for example:

  1. trantienfariwuay -> tran tien [fariwuay] – Vietnamese singer

  2. liemproduction08 -> liem production [08] – Thuat Liem manufacturing, firm from Ho Chi Minh metropolis, Vietnam

  3. nguyenthokanuvuong -> nguyen [thokanu] vuong – Vietnamese version of chinese title Wang Yuan

Malicious modules

virtually all the infected apps from Google Play contain the same performance – to download and execute the primary module. throughout this research, i discovered three varieties of modules with this functionality.


each infected app from Google Play with this type of malicious module used to be secure through the packer. i’ll describe the app with the package title com.equalizer.items.listener. It was once packed the use of the Qihoo packer. This app has various courses and only some of them are associated to the malicious module. Malicious code will probably be induced by way of the PACKAGE_ADDED and PACKAGE_REMOVED machine situations. It implies that malicious code simplest begins executing after the user installs/updates/removes an app.

Ztorg: money for infecting your smartphone

As a primary step, the malicious module will check if it’s running on a digital machine, emulator or sandbox. to take action, it is going to test a number of dozen files that exist on different machines and several dozen values for different device houses. If this take a look at is passed, the Trojan will begin a new thread.

in this new thread the Trojan will wait a random period of time, between an hour and an hour and a half of. After waiting it is going to make a GET HTTP request to the C&C (em.kmnsof.com/only) and, as a result, the Trojan will obtain a JSON file encrypted with DES. This JSON should incorporate a URL from which a file will also be downloaded. The file is an ‘xorred’ JAR that comprises the malicious courses.dex – the primary module.


because October 2016 I’ve stated a lot of apps with this malicious module to Google, so that they were in a position to make stronger their detection system and catch almost all of them. This intended the cybercriminals needed to bypass this detection. at first they changed some strategies in the code and used commercial packers. but in February 2017 they rewrote the entire code, transferring all functionality to the ELF (native, .so) library.

example: com.unit.conversion.use (MD5: 92B02BB80C1BC6A3CECC321478618D43)

The malicious code is prompted after app execution begins from the onCreate manner.

Ztorg: money for infecting your smartphone

The malicious code in the infected lessons.dex is understated – it begins a new thread that loads the MyGame library and it has two methods for dealing with sandbox detections, for you to be completed from the library.

Ztorg: money for infecting your smartphone

Ztorg: money for infecting your smartphone

on this model, the delays are a lot smaller than within the earlier one – it waits most effective eighty two seconds before execution.

After starting, the MyGame library will check if it’s working in a sandbox via executing the 2 strategies from classes.dex. One will try to register the receiver for the BATTERY_CHANGED motion and check if it’s perfect. every other means will try to get utility info in regards to the com.android.merchandising package deal (Google Play store) with the MATCH_UNINSTALLED_PACKAGES flag. If both of those strategies return “false”, the malicious library will execute a GET request to the command server.

Ztorg: money for infecting your smartphone


Ztorg: money for infecting your smartphone

The library will decode this resolution and xor it with a 0x66 key.



g_class_name = b.a.b.a

g_method_name = b

g_url = http://dow.nctylmtp.com/hy/hy003/gp003.apk

g_key = eighty

The .apk file on hand at g_url shall be downloaded into the cache folder of the app folder (/data/data/<package_name>/cache). The library will xor it with g_key and load it the usage of a ClassLoad manner from the DexClassLoader class.

As we will see, the cybercriminals modified quite a bit within the malicious code, and changed the Java code with C code. but the performance remains the identical – hook up with the C&C, download and execute the main module.

Detection bypassing

once I used to be ready to obtain the package IDs from these campaigns, I installed the infected app from Google Play on my test device and… nothing happened. After some investigating, i discovered that the cybercriminals best return a malicious payload to customers that install apps via advertisements. alternatively, some of the different contaminated apps began to infect my test telephone when installed straight away from Google Play – with out clicking on any commercials.


In April 2017 the cybercriminals changed their Ztorg code once more. in this 0.33 kind of malicious module, the cybercriminals moved the entire performance back to classes.dex. the main difference with the earlier model is that it’s no longer a Trojan-Downloader. It doesn’t obtain the principle module from a malicious server; as an alternative it incorporates an encrypted module within the belongings folder of the set up bundle. The file known as info.data is xored with 0x12 and then loaded the use of the ClassLoad means.

Ztorg: money for infecting your smartphone

Payload (primary module)

In the entire attacks that I analyzed the primary module had the identical performance. I’ll describe one of the crucial contemporary – 2dac26e83b8be84b4a453664f68173dd. It was downloaded by the com.unit.conversion.use app the usage of the malicious MyGame library.

This module is downloaded with the aid of the an infection module and loaded the use of the ClassLoad means. the primary objective of the module is to realize root rights and install different modules. It does this by using downloading or losing some files.

Some information can simplest be dropped from this module; there are no URLs for them.

one of the most URLs with the down.118pai.com domain didn’t work on the time of this research. All information which have these URLs can also be dropped. All recordsdata that have URLs only and cannot be dropped have URLs with the domains sololauncher.mobi and freeplayweb.com, that have been accessible on the time of this analysis.

In some of the earlier variations of the primary module, dated September 2016, all of the URLs had the down.118pai.com domain and had been on hand at that time.

one of the crucial dropped/downloaded malicious information can be brought to the /device/and so forth/install-recovery.sh file. It implies that these recordsdata will remain on the tool even after a reset to manufacturing unit settings.

All information which can be dropped and downloaded through this module can also be divided into a couple of groups:

clean files, instruments
File title instrument identify MD5
data/files/.zog/.a chattr 9CAE8D66BE1103D737676DBE713B4E52
knowledge/files/.zog/.a chattr 1E42373FA7B9339C6C0A2472665BF9D4
information/files/.zog/supolicy supolicy cdceafedf1b3c1d106567d9ff969327a
information/files/.zog/busybox busybox 3bc5b9386c192d77658d08fe7b8e704f
information/recordsdata/.zog/.j Patched su 8fb60d98bef73726d4794c2fc28cd900
Exploits, exploit packs, exploit droppers
File name title MD5 Detection name
data/files/.Ag/Agcr Agcr32 D484A52CFB0416CE5294BF1AC9346B96 exploit.AndroidOS.Lotoor.bv
information/information/.Ag/Agcr Agcr64 B111DD21FD4FCEFDC8268327801E55CE make the most.AndroidOS.Lotoor.bv
information/recordsdata/.zog/.ag/bx Bx 70EBFA94C958E6E6A7C6B8CD61B71054 exploit.AndroidOS.Lotoor.bu
data/information/.zog/.ag/cx cx 892E033DA182C06794F2B295377B8A65 take advantage of.AndroidOS.Lotoor.bu
information/files/.zog/exp exp 6E17234C57308012911C077A376538DC take advantage of.AndroidOS.Lotoor.bz
knowledge/information/.zog/.ag/nn.zip maink.apk/boy ab9202ccfdd31e685475ba895d1af351 script
information/files/.zog/.ag/nn.zip maink.apk/bx 70ebfa94c958e6e6a7c6b8cd61b71054 take advantage of.AndroidOS.Lotoor.bu
knowledge/files/.zog/.ag/ym ym32 F973BAA67B170AB52C4DF54623ECF8B3 exploit.AndroidOS.Lotoor.bu
information/files/.zog/.ag/ym ym64 807A6CF3857012E41858A5EA8FBA1BEF exploit.AndroidOS.Lotoor.bu
data/recordsdata/.zog/.aa mainp.apk/r1 c27e59f0f943cf7cc2020bda7efb442a take advantage of.AndroidOS.Lotoor.bh
data/recordsdata/.zog/.aa mainp.apk/r2 368df668d4b62bdbb73218dd1f470828 make the most.AndroidOS.Lotoor.bi
data/files/.zog/.aa mainp.apk/r3 fb8449d1142a796ab1c8c1b85c7f6569 make the most.AndroidOS.Lotoor.bh
information/information/.zog/.aa mainp.apk/r4 04dd488783dffcfd0fa9bbac00dbf0f9 take advantage of.Linux.Enoket.a
knowledge/files/.zog/.advert mainmtk.apk b4b805dc90fa06c9c7e7cce3ab6cd252 take advantage of.AndroidOS.Lotoor.bi
information/recordsdata/.zog/.ag/np np 1740ae0dc078ff44d9f229dccbd9bf61 make the most.Linux.Enoket.a

a majority of these information can be downloaded by means of the Trojan, however some of them can most effective be dropped from the Trojan physique. on the other hand, lots of the downloaded files are the identical as they were seven months in the past in September 2016.

Native (ELF) malicious modules
File identify MD5 course after an infection Detection title
knowledge/recordsdata/.zog/.am b30c193f98e83b7e6f086bba1e17a9ea /gadget/xbin/.gasys Backdoor.AndroidOS.Ztorg.j
data/information/.zog/.an 41ab20131f53cbb6a0fb69a143f8bc66 /gadget/lib/libgstdsys.so Backdoor.AndroidOS.Ztorg.j
information/information/.zog/.b ae822aed22666318c4e01c8bd88ca686 /gadget/xbin/.hole.a Backdoor.AndroidOS.Ztorg.c
knowledge/information/.zog/.k 5289027ca9d4a4ed4663db445d8fc450 /device/bin/debuggerd Backdoor.AndroidOS.Ztorg.c
data/recordsdata/.zog/.m 5af47875666c9207110c17bc8627ce30 /gadget/bin/ddexe script
knowledge/files/.zog/.c d335ac148f6414f0ce9c30ac63c20482 /gadget/xbin/.hole Backdoor.AndroidOS.Ztorg.c

All of these information can handiest be dropped from the Trojan’s physique. they aren’t downloaded.

Malicious apps
File name name MD5 route after an infection Detection title
knowledge/recordsdata/.zog/.l mains.apk 87030ae799e72994287c5b37f6675667 /gadget/priv-app/dpl.apk Trojan-Dropper.AndroidOS.Agent.cv
information/files/.zog/.o mains2.apk 93016a4a82205910df6d5f629a4466e9 /system/priv-app/.gmq.apk Trojan.AndroidOS.Boogr.gsh
knowledge/information/.zog/.n mainm.apk 6aad1baf679b42adb55962cdb55fb28c /machine/priv-app/.gma.apk Backdoor.AndroidOS.Ztorg.a
knowledge/files/.zog/.al .al 7d7247b4a2a0e73aaf8cc1b5c6c08221 /system/priv-app/.gmtgp.apk Trojan.AndroidOS.Hiddad.c
.gmtgp.apk (7d7247b4a2a0e73aaf8cc1b5c6c08221)

This app is detected as Trojan.AndroidOS.Hiddad.c. It downloads (from the C&C http://api.ddongfg.com/pilot/api/) a further encrypted module, decrypts and loads it. In my case it downloads Trojan-Clicker.AndroidOS.Gopl.a (af9a75232c83e251dd6ef9cb32c7e2ca).

Its C&C is http://g.ieuik.com/pilot/api/; additional domains are g.uikal.com and api.ddongfg.com.

The Trojan uses accessibility services and products to install (or even buy) apps from the Google Play retailer.

Ztorg: money for infecting your smartphone

It also downloads apps into the .googleplay_download listing on the SD card and installs them the use of accessibility products and services to click on buttons. The folder .googleplay_download is among the sources used to spread the Ztorg Trojan. it could actually click buttons that use certainly one of 13 languages – English, Spanish, Arabic, Hindi, Indonesian, French, Persian, Russian, Portuguese, Thai, Vietnamese, Turkish and Malay.

dpl.apk (87030AE799E72994287C5B37F6675667)

This module contains the identical the best way to discover emulators, sandbox and virtual machines as in the authentic infected module.

It downloads an encrypted file from the C&C api.jigoolng.com/simplest/gp0303/12.html into the file /.androidsgqmdata/isgqm.jar. After decryption, the Trojan hundreds this file.

the primary objective of dpl.apk is to obtain and set up apps. It receives instructions from the next C&Cs:

  • log.agoall.com/gkview/data/,
  • active.agoall.com/gnview/api/,
  • newuser.agoall.com/oversea_adjust_and_download_write_redis/api/download/,
  • api.agoall.com/handiest/

The module downloads them into the DownloadProvider directory on the SD card. This folder is without doubt one of the sources used to distribute the Ztorg Trojan.

In my case, it downloaded 5 malicious APKs; 4 of them have been installed and listed within the installed apps part.

.gma.apk (6AAD1BAF679B42ADB55962CDB55FB28C)

This Trojan tries to download the additional isgqm.jar module with the principle functionality in the identical manner as the opposite modules. unfortunately, its C&Cs (a.gqkao.com/igq/api/, d.oddkc.com/igq/api/, fifty two.seventy four.240.149/igq/api, api.jigoolng.com/best/) didn’t return any instructions, so I don’t understand the principle function of this app.

This app can adjust /system/and so on/set up-recovery.sh, and download information to the /.androidgp/ folder on the SD card. These recordsdata shall be installed within the machine folders (/device/app/ or /gadget/priv-app/).

i suppose this Trojan is required to replace other modules.

.gmq.apk (93016a4a82205910df6d5f629a4466e9)

This Trojan wasn’t able to download its further module isgq.jar from the C&Cs (a.apaol.com/igq/api, c.oddkc.com/igq/api, 52.seventy four.240.149/igq/api).

installed apps

the following apps have been silently downloaded and installed on the software after an infection. All of them have some smartly-recognized advert services.

bundle identify Detection Md5 advert modules
co.uhi.tadsafa Trojan-Downloader.AndroidOS.Rootnik.g d1ffea3d2157ede4dcc029fb2e1c3607 mobvista, batmobi
com.friend.booster Trojan.AndroidOS.Ztorg.bo 5c99758c8622339bffddb83af39b8685 mobvista, batmobi
sq.bnq.gkq Trojan-Downloader.AndroidOS.Rootnik.g 10272af66ab81ec359125628839986ae mobvista, batmobi
major.ele.com.blood Trojan.AndroidOS.Ztorg.bo 8572aec28df317cd840d837e73b2554a mobvista

in addition they have malicious modules that start downloading advertisements and apps when commanded by means of their C&C.

but the use of smooth promoting networks like Mobvista and Batmobi creates an advert recursion, as a result of these advertisements were used to distribute the original infected app.

a number of new folders seem on the SD card after a a hit an infection. among them:

  • .googleplay_download
  • .nativedroid
  • .sysAndroid
  • DownloadProvider

All of those folders have been utilized by one of the crucial malware to unfold the initial Ztorg infection and have been used after an infection to distribute other apps – a few of them malicious.

different Trojans

despite the fact that nearly each Trojan from Google Play discovered throughout this research had one of the crucial three malicious modules described in this research, there have been also a couple of different Trojans.

one among them, known as money Converter (com.countrys.converter.forex, 55366B684CE62AB7954C74269868CD91), had been put in greater than 10,000 occasions from Google Play. Its goal is just like that of the .gmtgp.apk module – it uses Accessibility services and products to put in apps from Google Play. subsequently, the Trojan can silently install and run promoted apps with none interplay with the person, even on up to date devices the place it cannot acquire root rights.

Ztorg: money for infecting your smartphone

It used the identical command and control servers as .gmtgp.apk.


all through the research length i found that Trojan.AndroidOS.Ztorg was once uploaded to Google Play store nearly 100 instances as different apps. the first of them was known as privateness Lock, had greater than 1 million installations and used to be uploaded in mid-December 2015. each month after I started tracking this Trojan in September 2016 I was able to search out and document as a minimum three new infected apps on Google Play. the most latest apps that i discovered had been uploaded in April 2017, however I’m positive there might be more soon.

All of these apps had been fashionable. furthermore, their popularity grew very fast, with tens of thousands of new users every so often being contaminated each day.

I came upon that these Trojans had been actively disbursed through promoting networks. All these malicious campaigns contained the same URL, which allows me to easily monitor down any new contaminated apps.

I was once stunned that these Trojans had been allotted through apps that have been paying users for putting in promoted apps. It grew to become out that some customers received paid a couple of US cents for infecting their software, though they didn’t understand it used to be being contaminated.

any other interesting thing concerning the distribution of this Trojan is that after an infection it used one of the most advertising networks to point out infected customers advertisements about putting in promoted apps. It creates a kind of advert recursion on infected devices – they transform infected on account of a malicious ad from an advertising network and after infection they see commercials from the identical merchandising community as a result of the Trojan and its modules.

Cybercriminals had been ready to put up contaminated apps on Google Play as a result of the a large number of tactics they used to avoid detection. They continued to advance and use new features of their Trojans all the time. This Trojan has modular structure and it uses a few modules with totally different performance and each and every of them may also be updated by means of the web. all through infection Ztorg makes use of several local root take advantage of packs to achieve root rights on a device. using these rights permits the Trojan to reach persistence on the tool and ship advertisements more aggressively.

Securelist – details about Viruses, Hackers and spam


Share This Article!...
Pin It