This analysis started after we revealed an contaminated Pokémon GO information in Google Play. It was there for a couple of weeks and used to be downloaded greater than 500,000 occasions. We detected the malware as Trojan.AndroidOS.Ztorg.ad. After some looking out, i found any other similar infected apps that had been being allotted from the Google Play store. the primary of them, called privacy Lock, was once uploaded to Google Play on 15 December 2016. It was once probably the most in style Ztorg changes, with greater than 1 million installations.
After I started tracking these infected apps, two issues struck me – how impulsively they became in style and the feedback within the user overview sections.
These contaminated apps fast turned into highly regarded, gaining hundreds of new customers every day!
as an example, com.fluent.led.compass had 10,000–50,000 installations the day i found and reported it to Google.
however, it still wasn’t deleted from Google Play the next day and the selection of installations elevated tenfold to 100,000–500,000. It method there were at least 50,000 new infected customers in the area of just in the future.
there have been numerous comments announcing that people downloaded these apps for credits/cash/and many others.
In some of these comments the customers mentioned other apps – Appcoins, Advertapp, and many others.
That’s where this newest research work began.
Apps that pay customers
The app talked about most in the comments used to be Appcoins, so I put in it. After that, the app triggered me to install every other apps, including one who used to be malicious, for $ 0.05.
To be trustworthy, I used to be shocked that only one was malicious – the entire other apps had been easy.
The funny factor is that they take a look at for root rights on the tool and don’t pay those who have them. And the first thing that Ztorg did on the device after an infection started used to be to get superuser rights.
I contacted the Appcoins builders to try and find out where this malicious promoting provide came from, but they deleted the offer and answered me via pronouncing there was no malware and that that they had completed nothing flawed.
Then I analyzed the apps installed with the aid of infected users and made an inventory of the most well-liked ones that paid customers to put in instrument:
and of course they supplied malware too:
All these offered users zero.04-zero.05 USD for installing an app infected with Ztorg from Google Play.
So I made up our minds to take a more in-depth have a look at these deals and the dumped visitors for these apps.
a standard session through which an promoting app turned into a malicious one used to be as follows:
App receives bargains, including malicious ones, from its server (as an instance, moneyrewardfun[.]com). Malicious deals are sent from neatly-identified advert products and services (frequently supersonicads.com and aptrk.com).
After just a few redirections from advert provider domains (in a single case there have been 27 redirections) the app goes to global.ymtracking.com or avazutracking.web. These URLs are related to the advertisements too.
Then it redirects to trace.iappzone.internet.
And the final URL that leads to the Google Play retailer was app.adjust.com.
all of the deals that I used to be in a position to dump had monitor.iappzone.web and app.regulate.com.
modify.com is a well known “business intelligence platform”; the URLs which are used in malicious campaigns look like this:
by means of analyzing these URLs we are able to identify infected apps on Google Play.
URLs from iappzone.web look like this:
This URL construction (offer_id=..&aff_id=..&campaign=..) is expounded to the OffersLook tracking system. It incorporates many attention-grabbing things, like provide identity, affiliate identity. however it turns out that cybercriminals use completely different values for them, making these parameters unusable for us. except one – install_callback. This parameter incorporates the title of the ad provider.
whereas searching for iappzone.internet I used to be in a position to find some APK files that contained this URL. All of these files are detected via Kaspersky Lab merchandise as Ztorg malware. The fascinating factor was once that iappzone.net used the IP 220.127.116.11. the identical IP used to be utilized by aedxdrcb.com, which was mentioned in CheckPoint’s gooligan file. just a few weeks after that report was once made public, iappzone.net (which wasn’t mentioned within the report) was once moved to a brand new IP – 139.162.57.forty one.
fortunately I was once ready to search out iappzone.web no longer handiest within the APK recordsdata but also in network traffic from clean apps. All these apps had an merchandising module – Batmobi or Mobvista generally. network traffic from these ad modules regarded similar to the network site visitors from the apps that paid customers to install promoted apps.
right here is an example of an app with a Batmobi ad module. The module got a JSON file with offers from their server api2.batmobil.internet.
The person sees an inventory of advertised apps:
After the consumer clicks on the ads, they’re redirected to the Google Play retailer.
on this case, the redirects appear to be this:
api2.batmobil.net -> global.ymtracking.com->tracking.acekoala.com -> click on.apprevolve.com ->monitor.iappzone.web ->app.alter.com -> play.google.com
After analyzing ad campaigns containing iappzone.net, I was able to seek out virtually 100 contaminated apps being promoted on Google Play.
the other fascinating facet of these campaigns used to be that their URLs contained the install_callback parameter that i mentioned previous. seems the cybercriminals simplest used 4 ad networks.
|Yeahmobi (international.ymtracking.com)||forty one%|
alternatively, this doesn’t imply that malware used to be handiest being distributed through these four networks. These advert networks are selling their ads to a variety of merchandising corporations. In my research, I noticed some malicious commercials coming from other promoting networks like DuAd or Batmobi, but after a few redirects these commercials had been always pointing to one of the four advertising networks listed above.
furthermore, I tracked a number of malicious advert campaigns that gave the impression of this:
Batmobi -> Yeahmobi-> SupersonicAds
this means that that these networks additionally redistribute commercials to each other.
I wasn’t in a position to find every other ad networks within the install_callback parameter except the end of March 2017.
during my analysis i found some infected apps that weren’t promoted by these advertising networks. after I checked out their detection paths i found that there have been a few patterns to them. lots of the paths the place these apps have been detected (apart from the installation course /data/app) have been as follows:
I analyzed the apps the usage of these paths and revealed that every one of them are already detected by Kaspersky Lab merchandise as spyware and adware or malware. however, the apps downloaded to those folders aren’t all malicious – most of them are easy.
|Folder’s identify||kind||Detection %*|
* Malicious apps that were downloaded to a specific folder as a share of all apps in that folder.
all of the infected apps that I analyzed surprised me in that they don’t appear to be they have been patched with malware code. in many different instances, cybercriminals simply add malicious code to clean apps, but not on this case. looks as if these apps had been created especially for distributing malware.
Publishers from Google Play
one of the publishers’ emails from Google Play:
once I started to seek for them, i found that lots of the emails are related to Vietnam.
trantienfariwuay -> tran tien [fariwuay] – Vietnamese singer
liemproduction08 -> liem production  – Thuat Liem manufacturing, firm from Ho Chi Minh metropolis, Vietnam
nguyenthokanuvuong -> nguyen [thokanu] vuong – Vietnamese version of chinese title Wang Yuan
virtually all the infected apps from Google Play contain the same performance – to download and execute the primary module. throughout this research, i discovered three varieties of modules with this functionality.
each infected app from Google Play with this type of malicious module used to be secure through the packer. i’ll describe the app with the package title com.equalizer.items.listener. It was once packed the use of the Qihoo packer. This app has various courses and only some of them are associated to the malicious module. Malicious code will probably be induced by way of the PACKAGE_ADDED and PACKAGE_REMOVED machine situations. It implies that malicious code simplest begins executing after the user installs/updates/removes an app.
As a primary step, the malicious module will check if it’s running on a digital machine, emulator or sandbox. to take action, it is going to test a number of dozen files that exist on different machines and several dozen values for different device houses. If this take a look at is passed, the Trojan will begin a new thread.
in this new thread the Trojan will wait a random period of time, between an hour and an hour and a half of. After waiting it is going to make a GET HTTP request to the C&C (em.kmnsof.com/only) and, as a result, the Trojan will obtain a JSON file encrypted with DES. This JSON should incorporate a URL from which a file will also be downloaded. The file is an ‘xorred’ JAR that comprises the malicious courses.dex – the primary module.
because October 2016 I’ve stated a lot of apps with this malicious module to Google, so that they were in a position to make stronger their detection system and catch almost all of them. This intended the cybercriminals needed to bypass this detection. at first they changed some strategies in the code and used commercial packers. but in February 2017 they rewrote the entire code, transferring all functionality to the ELF (native, .so) library.
example: com.unit.conversion.use (MD5: 92B02BB80C1BC6A3CECC321478618D43)
The malicious code is prompted after app execution begins from the onCreate manner.
The malicious code in the infected lessons.dex is understated – it begins a new thread that loads the MyGame library and it has two methods for dealing with sandbox detections, for you to be completed from the library.
on this model, the delays are a lot smaller than within the earlier one – it waits most effective eighty two seconds before execution.
After starting, the MyGame library will check if it’s working in a sandbox via executing the 2 strategies from classes.dex. One will try to register the receiver for the BATTERY_CHANGED motion and check if it’s perfect. every other means will try to get utility info in regards to the com.android.merchandising package deal (Google Play store) with the MATCH_UNINSTALLED_PACKAGES flag. If both of those strategies return “false”, the malicious library will execute a GET request to the command server.
It receives: “BEgHSARIB0oESg4SEhZcSUkCCRFICAUSHwoLEhZIBQkLSQ4fSQ4fVlZVSQEWVlZVSAcWDUpeVg==”
The library will decode this resolution and xor it with a 0x66 key.
g_class_name = b.a.b.a
g_method_name = b
g_url = http://dow.nctylmtp.com/hy/hy003/gp003.apk
g_key = eighty
The .apk file on hand at g_url shall be downloaded into the cache folder of the app folder (/data/data/<package_name>/cache). The library will xor it with g_key and load it the usage of a ClassLoad manner from the DexClassLoader class.
As we will see, the cybercriminals modified quite a bit within the malicious code, and changed the Java code with C code. but the performance remains the identical – hook up with the C&C, download and execute the main module.
once I used to be ready to obtain the package IDs from these campaigns, I installed the infected app from Google Play on my test device and… nothing happened. After some investigating, i discovered that the cybercriminals best return a malicious payload to customers that install apps via advertisements. alternatively, some of the different contaminated apps began to infect my test telephone when installed straight away from Google Play – with out clicking on any commercials.
In April 2017 the cybercriminals changed their Ztorg code once more. in this 0.33 kind of malicious module, the cybercriminals moved the entire performance back to classes.dex. the main difference with the earlier model is that it’s no longer a Trojan-Downloader. It doesn’t obtain the principle module from a malicious server; as an alternative it incorporates an encrypted module within the belongings folder of the set up bundle. The file known as info.data is xored with 0x12 and then loaded the use of the ClassLoad means.
Payload (primary module)
In the entire attacks that I analyzed the primary module had the identical performance. I’ll describe one of the crucial contemporary – 2dac26e83b8be84b4a453664f68173dd. It was downloaded by the com.unit.conversion.use app the usage of the malicious MyGame library.
This module is downloaded with the aid of the an infection module and loaded the use of the ClassLoad means. the primary objective of the module is to realize root rights and install different modules. It does this by using downloading or losing some files.
Some information can simplest be dropped from this module; there are no URLs for them.
one of the most URLs with the down.118pai.com domain didn’t work on the time of this research. All information which have these URLs can also be dropped. All recordsdata that have URLs only and cannot be dropped have URLs with the domains sololauncher.mobi and freeplayweb.com, that have been accessible on the time of this analysis.
In some of the earlier variations of the primary module, dated September 2016, all of the URLs had the down.118pai.com domain and had been on hand at that time.
one of the crucial dropped/downloaded malicious information can be brought to the /device/and so forth/install-recovery.sh file. It implies that these recordsdata will remain on the tool even after a reset to manufacturing unit settings.
All information which can be dropped and downloaded through this module can also be divided into a couple of groups:
clean files, instruments
|File title||instrument identify||MD5|
Exploits, exploit packs, exploit droppers
|File name||title||MD5||Detection name|
|information/information/.Ag/Agcr||Agcr64||B111DD21FD4FCEFDC8268327801E55CE||make the most.AndroidOS.Lotoor.bv|
|data/information/.zog/.ag/cx||cx||892E033DA182C06794F2B295377B8A65||take advantage of.AndroidOS.Lotoor.bu|
|information/files/.zog/exp||exp||6E17234C57308012911C077A376538DC||take advantage of.AndroidOS.Lotoor.bz|
|information/files/.zog/.ag/nn.zip||maink.apk/bx||70ebfa94c958e6e6a7c6b8cd61b71054||take advantage of.AndroidOS.Lotoor.bu|
|data/recordsdata/.zog/.aa||mainp.apk/r1||c27e59f0f943cf7cc2020bda7efb442a||take advantage of.AndroidOS.Lotoor.bh|
|data/recordsdata/.zog/.aa||mainp.apk/r2||368df668d4b62bdbb73218dd1f470828||make the most.AndroidOS.Lotoor.bi|
|data/files/.zog/.aa||mainp.apk/r3||fb8449d1142a796ab1c8c1b85c7f6569||make the most.AndroidOS.Lotoor.bh|
|information/information/.zog/.aa||mainp.apk/r4||04dd488783dffcfd0fa9bbac00dbf0f9||take advantage of.Linux.Enoket.a|
|knowledge/files/.zog/.advert||mainmtk.apk||b4b805dc90fa06c9c7e7cce3ab6cd252||take advantage of.AndroidOS.Lotoor.bi|
|information/recordsdata/.zog/.ag/np||np||1740ae0dc078ff44d9f229dccbd9bf61||make the most.Linux.Enoket.a|
a majority of these information can be downloaded by means of the Trojan, however some of them can most effective be dropped from the Trojan physique. on the other hand, lots of the downloaded files are the identical as they were seven months in the past in September 2016.
Native (ELF) malicious modules
|File identify||MD5||course after an infection||Detection title|
All of these information can handiest be dropped from the Trojan’s physique. they aren’t downloaded.
|File name||name||MD5||route after an infection||Detection title|
This app is detected as Trojan.AndroidOS.Hiddad.c. It downloads (from the C&C http://api.ddongfg.com/pilot/api/) a further encrypted module, decrypts and loads it. In my case it downloads Trojan-Clicker.AndroidOS.Gopl.a (af9a75232c83e251dd6ef9cb32c7e2ca).
Its C&C is http://g.ieuik.com/pilot/api/; additional domains are g.uikal.com and api.ddongfg.com.
The Trojan uses accessibility services and products to install (or even buy) apps from the Google Play retailer.
It also downloads apps into the .googleplay_download listing on the SD card and installs them the use of accessibility products and services to click on buttons. The folder .googleplay_download is among the sources used to spread the Ztorg Trojan. it could actually click buttons that use certainly one of 13 languages – English, Spanish, Arabic, Hindi, Indonesian, French, Persian, Russian, Portuguese, Thai, Vietnamese, Turkish and Malay.
This module contains the identical the best way to discover emulators, sandbox and virtual machines as in the authentic infected module.
It downloads an encrypted file from the C&C api.jigoolng.com/simplest/gp0303/12.html into the file /.androidsgqmdata/isgqm.jar. After decryption, the Trojan hundreds this file.
the primary objective of dpl.apk is to obtain and set up apps. It receives instructions from the next C&Cs:
The module downloads them into the DownloadProvider directory on the SD card. This folder is without doubt one of the sources used to distribute the Ztorg Trojan.
In my case, it downloaded 5 malicious APKs; 4 of them have been installed and listed within the installed apps part.
This Trojan tries to download the additional isgqm.jar module with the principle functionality in the identical manner as the opposite modules. unfortunately, its C&Cs (a.gqkao.com/igq/api/, d.oddkc.com/igq/api/, fifty two.seventy four.240.149/igq/api, api.jigoolng.com/best/) didn’t return any instructions, so I don’t understand the principle function of this app.
This app can adjust /system/and so on/set up-recovery.sh, and download information to the /.androidgp/ folder on the SD card. These recordsdata shall be installed within the machine folders (/device/app/ or /gadget/priv-app/).
i suppose this Trojan is required to replace other modules.
This Trojan wasn’t able to download its further module isgq.jar from the C&Cs (a.apaol.com/igq/api, c.oddkc.com/igq/api, 52.seventy four.240.149/igq/api).
the following apps have been silently downloaded and installed on the software after an infection. All of them have some smartly-recognized advert services.
|bundle identify||Detection||Md5||advert modules|
in addition they have malicious modules that start downloading advertisements and apps when commanded by means of their C&C.
but the use of smooth promoting networks like Mobvista and Batmobi creates an advert recursion, as a result of these advertisements were used to distribute the original infected app.
a number of new folders seem on the SD card after a a hit an infection. among them:
All of those folders have been utilized by one of the crucial malware to unfold the initial Ztorg infection and have been used after an infection to distribute other apps – a few of them malicious.
despite the fact that nearly each Trojan from Google Play discovered throughout this research had one of the crucial three malicious modules described in this research, there have been also a couple of different Trojans.
one among them, known as money Converter (com.countrys.converter.forex, 55366B684CE62AB7954C74269868CD91), had been put in greater than 10,000 occasions from Google Play. Its goal is just like that of the .gmtgp.apk module – it uses Accessibility services and products to put in apps from Google Play. subsequently, the Trojan can silently install and run promoted apps with none interplay with the person, even on up to date devices the place it cannot acquire root rights.
It used the identical command and control servers as .gmtgp.apk.
all through the research length i found that Trojan.AndroidOS.Ztorg was once uploaded to Google Play store nearly 100 instances as different apps. the first of them was known as privateness Lock, had greater than 1 million installations and used to be uploaded in mid-December 2015. each month after I started tracking this Trojan in September 2016 I was able to search out and document as a minimum three new infected apps on Google Play. the most latest apps that i discovered had been uploaded in April 2017, however I’m positive there might be more soon.
All of these apps had been fashionable. furthermore, their popularity grew very fast, with tens of thousands of new users every so often being contaminated each day.
I came upon that these Trojans had been actively disbursed through promoting networks. All these malicious campaigns contained the same URL, which allows me to easily monitor down any new contaminated apps.
I was once stunned that these Trojans had been allotted through apps that have been paying users for putting in promoted apps. It grew to become out that some customers received paid a couple of US cents for infecting their software, though they didn’t understand it used to be being contaminated.
any other interesting thing concerning the distribution of this Trojan is that after an infection it used one of the most advertising networks to point out infected customers advertisements about putting in promoted apps. It creates a kind of advert recursion on infected devices – they transform infected on account of a malicious ad from an advertising network and after infection they see commercials from the identical merchandising community as a result of the Trojan and its modules.
Cybercriminals had been ready to put up contaminated apps on Google Play as a result of the a large number of tactics they used to avoid detection. They continued to advance and use new features of their Trojans all the time. This Trojan has modular structure and it uses a few modules with totally different performance and each and every of them may also be updated by means of the web. all through infection Ztorg makes use of several local root take advantage of packs to achieve root rights on a device. using these rights permits the Trojan to reach persistence on the tool and ship advertisements more aggressively.