An eight-month-long investigation by Roman Unuchek, a security researcher at Kaspersky Lab, has uncovered one of the most complex malware distribution schemes seen to date on the Android malware scene.
According to Unuchek, for the last year, the criminal group behind the Ztorg Android trojan has been using so-called “rewards apps,” to deliver malware on the devices of unsuspecting users.
These “rewards apps” are Android apps that provide money to users who install apps from their collection.
A user using a rewards app usually earns a commission of a few US cents if he installs an app on his device. The more apps they install, the more money they earn, which they can then use to buy game coins or access to commercial apps.
These apps are usually managed by advertising companies who get paid by app developers who want to make sure their app reaches as many devices as possible.
Rewards apps are some of the few app types that allow everyone to get what they want. The user gets money, the app maker gets installs, and the advertiser gets his pay-per-install fee.
Rewards apps delivered applications infected with Ztorg
According to Unuchek, some of the rewards apps available through the Play Store have delivered apps installed with the Ztorg malware. The researcher says that not all apps delivered through rewards apps are infected with malware, but once in a while, these services push trojanized apps.
Unuchek discovered this distribution method by accident, as he was initially looking at how the Ztorg malware was evolving, after he was the first one to spot the malware in September 2016, disguised as a Pokemon Go guide app.
As he found new Android apps infected with Ztorg on the official Play Store, the researcher noticed that these apps were growing in popularity in huge increments, sometime doubling the number of installs overnight.
One rewards app deletes malware offer and denies everything
By some clever sleuthing, Unuchek tracked down the source of these installs to rewards apps such as Appcoins, SuperPocket, or Make money-Earn gift cards.
The researcher says that when he contacted developers behind the Appcoins rewards app to inquire from where the advertising offer for the Ztorg-infected app came from, Appcoins devs “deleted the [app install] offer and answered [Unuchek] by saying there was no malware and that they had done nothing wrong.”
Certainly not the response the researcher was expecting, which raises plenty of questions about the intentions and professionalism of the people running these services.
Three apps infected with Ztorg spotted each month
Furthermore, the researcher found other interesting things. For example, Unuchek discovered some shared infrastructure between the Ztorg gang and the Gooligan Android malware, first spotted in November 2016.
Furthermore, almost all Ztorg-infected Android apps spread through these rewards apps were registered by developers that used emails with Vietnamese names.
“Every month after I started tracking this Trojan in September 2016 I was able to find and report at least three new infected apps on Google Play,” Unuchek writes in the conclusion of his investigation. “The most recent apps that I found were uploaded in April 2017, but I’m sure there will be more soon.”
Apps infected with Ztorg are incredibly dangerous, because once the user launches this app into execution, the trojan uses rooting exploits to get admin privileges on the user’s device.
Until now, researchers spotted Ztorg using these admin privileges to show ads, but the malware could do much more harm if its authors ever desired.