{
	"id": "43ff1f78-e7d3-42d8-92aa-1ee1b63db9b2",
	"created_at": "2026-04-06T00:08:23.128031Z",
	"updated_at": "2026-04-10T03:21:16.853093Z",
	"deleted_at": null,
	"sha1_hash": "ac15d4c10fb85ddb251f6e75ffc4315e5dc2db51",
	"title": "Teardown of a Recent Variant of Android/Ztorg (Part 1)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1016359,
	"plain_text": "Teardown of a Recent Variant of Android/Ztorg (Part 1)\r\nBy Axelle Apvrille\r\nPublished: 2017-03-15 · Archived: 2026-04-05 15:42:32 UTC\r\nZtorg, also known as Qysly, is one of those big families of Android malware. It first appeared in April 2015, and\r\nnow has over 25 variants, some of which are still active in 2017. Yet, there aren't many technical descriptions for it\r\n- except for the initial Ztorg.A sample - so I decided to have a look at one of the newer\r\nvariants, Android/Ztorg.AM!tr, that we detected on January 20, 2017.\r\nThe sample poses a \"Cool Video Player\" and its malicious activity was so well hidden I initially thought I had\r\nrun into a False Positive. Definitely not, however, as we'll see.\r\nLocating the Malicious Code\r\nThe sample's manifest shows the main activity is located in com.mx.cool.videoplayer.activity.MainActivity.\r\nThis activity initializes multiple SDKs, from which I could not detect malicious intent:\r\ncom.adjust: Adjust SDK, for app analytics\r\ncom.batmobi: Batmobi for mobile advertising\r\ncom.catchgift: code shows this is clearly for advertising\r\ncom.marswin89: this is a MarsDaemon, a library to keep apps alive. Interesting, but not malicious as such.\r\ncom.squareup: well-known mobile payment\r\ncom.umeng: well-known mobile advertising \u0026 analytics\r\nSo, where is the malicious code? Or is it just some not-so-clean code in one of these SDKs that triggered a (false\r\npositive) alert?\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 1 of 20\n\nI kept on looking in other namespaces of the app:\r\nu.aly contained code for Mobclick - advertising again (hey, for the sake of AV analysts at least, can you\r\ndevelopers stop using so many advertising SDKs, huh?),\r\nandroid.support.v4 is standard for app development.\r\nNamespace e.i.o.q isn't doing anything apart calling functions from the a namespace.\r\nSo, that's when I started looking into namespace a...\r\nString Obfuscation\r\nI immediately noticed many obfuscated strings, and couldn't resist de-obfuscating them (after all, I'm the Crypto\r\nGirl, right?).\r\nFor instance, we have this:\r\nand c.a() is implemented as follows:\r\nThis basically takes the first and last byte as XOR key for the rest of the byte array. From that, I wrote a quick\r\nstandalone Python decoder, mimicking the decompiled code. It is handy, but as I use JEB2 a script is even better\r\nwhere I can have it replace the strings directly in the decompiled output.\r\nJEB scripts are a little trickier to write. Mine parses the decompiled classes, and in each class locates statements\r\nwith a c.a(new byte[] { ... }). The call to the decoding function occurs in several situations though, e.g v0[6] =\r\nc.a(new byte[]{... but also a = new String(c.a(new byte[]{.... Consequently, the right hand side of the line needs to\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 2 of 20\n\nbe analyzed quite closely. Then, when a call is detected, the script decodes the value, and replaces it with the\r\nresult.\r\nFor example, the first figure (on the left) illustrates the initial decompiled code for a.a.a. The second figure shows\r\nthe result after applying the script.  \r\nMy scripts are available on Github.\r\nEmulator Detection\r\nAmong the decoded strings, we notice many references to VirtualBox, QEMU etc. This is emulator detection,\r\nand we'll see that it is particularly advanced.\r\nLet's go back to the flow of execution. The onCreate() method of the main activity ( MainActivity) calls f(), which\r\ncalls e.i.o.q.d(). Reversing e.i.o.q.d(), we understand the function tests whether it is running on an emulator or\r\nnot. It only runs the malicious part if not on an emulator, which explains why sandboxes won't be able to\r\nrecord any malicious activity.\r\nThe emulator detection routine is particularly advanced and extensive. It detects standard Android\r\nemulators, Genymotion emulators, Bluestacks emulators, BuilDroid VMs, and also tainted environments\r\nthat use TaintDroid.\r\nThe detection is based on:\r\n1. Specific values in system properties. This is quite standard, except the tests are particularly extensive (see\r\nTable) in this case.\r\n2. Typical values for IMEI, IMSI and phone number on emulators. On Genymotion, the IMEI can be\r\ncustomized, but not the IMSI. On standard Android SDK emulators, none of these are easily customizable.\r\nIt is possible to patch and re-compile one's emulator.\r\n3. Presence of specific files. For example, /dev/qemu_pipe. From an AV analyst's perspective, this is difficult\r\nto counter, because many of the emulating environments won't work properly without these files.\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 3 of 20\n\n4. Checking values in given system files. In particular, it's the first time I have seen malware checking\r\nvalues inside /proc/net/tcp. This is interesting: the file records active TCP connections. The first column\r\ncorresponds to the number of entries, second column is local address, third column local port, and fourth\r\ncolumn remote address. On a real device, we have something like this:\r\n0: 4604D20A:B512 A3D13AD8...\r\nBut on emulators, the addresses are zeroed and easily noticeable:\r\n0: 00000000:0016 00000000:0000\r\n5. Specific TaintDroid class (dalvik.system.Taint) and injected fields (name in FileDescriptor class\r\nand key in Cipher). The code was probably inspired from Tim Strazzere's Anti Emulator code.\r\nDownloading Remote Content\r\nWe have seen that the sample implements advanced emulator detection. However, many clean apps do that for\r\nvarious reasons. So where is the malicious stuff? At this point, we aren't convinced yet that this is not a False\r\nPositive.\r\nActually, we're getting closer. After the sample has tested it is not running on an emulator, it sends an HTTP\r\nrequest to hXXp://bbs.tihalf.com/only/[$1]/2.html?. This is a URL we de-obfuscated at the previous step.\r\nThe [$1] is replaced with gp1187 (another de-obfuscated string), and an information blob is appended to the url,\r\nwhere the blob is a DES-encrypted JSON object containing code version, SDK version, etc.\r\nThis is getting more suspicious.\r\nThe response is base64 encoded, and encrypted with DES-CBC (see class a.c.a):\r\nThe key is hard-coded (it's the de-obfuscated string sokhlwej) and the IV is DES_e.IV = new byte[]{1, 2, 3, 4, 5,\r\n6, 7, 8};. We decrypt the server's response:\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 4 of 20\n\nWe notice that o and p contain a link to an Android package. Are they used? Yes! As soon as the JSON object is\r\nretrieved, the sample reads the URL in o and tries to download the file. If ever o does not work, it tries p.\r\nSo, basically, in this case, the sample downloads another Android package\r\nfrom hXXp://alla.tihalf.com/only/gp1187/gp1187.apk and stores it locally on the smartphone.\r\nBut we are not done yet. The downloaded APK is not in clear text:\r\nIt is XOR-ed with 0x99 (see code excerpt of class a.d.f) and copied to a file named dba.jar:\r\nThis indeed results in a valid Android package:\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 5 of 20\n\nAnd then? It loads the downloaded application, of course! See code below - taken from a.d.n.\r\nThe installation of the application is done via DexClassLoader and is invisible to the end-user.\r\nFinally, it invokes a method of that application. Specifically, it loads the class referenced by key q in the JSON\r\nobject, and invokes method h from the JSON object:\r\nIn our case, q is n.a.c.q and h is c, so the sample invokes n.a.c.q.c().\r\nConclusion\r\nThis Ztorg sample does a very good job of concealing its maliciousness, but we can confirm that it is malicious\r\nand not a False Positive.\r\nIt implements many emulator detection features. It detects the Android SDK emulator, but also\r\nemulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several\r\nof its checks will be difficult to bypass.\r\nIt uses string obfuscation, based on XOR.\r\nIt communicates with a remote server using DES-CBC encryption.\r\nIt downloads, installs and launches an Android application from that remote server.\r\nIn part 2 of this analysis, we will examine the downloaded application.\r\n-- the Crypto Girl\r\nAppendix:\r\nSample analyzed in this article:\r\nsha256: 2c546ad7f102f2f345f30f556b8d8162bd365a7f1a52967fce906d46a2b0dac4\r\nTable 1: Elements tested by Android/Ztorg.AM!tr to detect emulators\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 6 of 20\n\nCheck Value to detect\r\nro.product_name sdk, full, vbox\r\nro.product_model emulator, sdk, android\r\nro.product_brand google, generic, android\r\nro.product_board unknown\r\nro.product_manufacturer unknown, genymotion\r\nro.product_product unknown, vbox, generic\r\nro.product_tags test\r\nro.build_host google\r\nBuild.BOARD unknown\r\nBuild.DEVICE generic, generic_x86\r\nBuild.MODEL\r\nsdk, google_sdk, 'Android SDK built for\r\nx86', emulator\r\nBuild.HARDWARE goldfish, vbox86\r\nBuild.PRODUCT google_sdk, sdk_x86, vbox86p, generic\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 7 of 20\n\nCheck Value to detect\r\nBuild.MANUFACTURER unknown, Genymotion\r\nBuild.BRAND generic_x86\r\nBuild.FINGERPRINT\r\ngeneric_x86/sdk_x86/generic_x86,\r\ngeneric/google_sdk/generic,\r\ngeneric/vbox86p/vbox86p\r\nIMEI\r\ngeneric, 000000000000000,\r\ne21833235b6eef10, 012345678912345\r\nIMSI 310260000000000\r\nPhone number\r\n15555215554, 15555215556, ...\r\n15555215578\r\n/proc/tty/drivers contains goldfish\r\n/proc/cpuinfo contains goldfish\r\n/proc/net/tcp contains zeroed values\r\n/system/libc_malloc_debg_qem.so presence of file\r\n/sys/qemu_trace presence of file\r\n/system/bin/qemu-props presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 8 of 20\n\nCheck Value to detect\r\n/dev/socket/genyd presence of file\r\n/dev/socket/baseband_genyd presence of file\r\n/dev/socket/qemud presence of file\r\n/dev/qemu_pipe presence of file\r\n/data/app/com.bluestacks.BstCommandProcessor-1.apk presence of file\r\n/data/app/com.bluestacks.help-1.apk presence of file\r\n/data/app/com.bluestacks.home-1.apk presence of file\r\n/data/app/com.bluestacks.s2p-1.apk presence of file\r\n/data/app/com.bluestacks.searchapp-1.apk presence of file\r\n/data/bluestacks.prop presence of file\r\n/data/data/com.androVM.vmconfig presence of file\r\n/data/data/com.bluestacks.accelerometerui presence of file\r\n/data/data/com.bluestacks.appfinder presence of file\r\n/data/data/com.bluestacks.appmart presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 9 of 20\n\nCheck Value to detect\r\n/data/data/com.bluestacks.appsettings presence of file\r\n/data/data/com.bluestacks.BstCommandProcessor presence of file\r\n/data/data/com.bluestacks.help presence of file\r\n/data/data/com.bluestacks.s2p presence of file\r\n/data/data/com.bluestacks.searchapp presence of file\r\n/data/data/com.bluestacks.settings presence of file\r\n/data/data/com.bluestacks.setup presence of file\r\n/data/data/com.bluestacks.spotlight presence of file\r\n/data/youwave_id presence of file\r\n/dev/qemu_pipe presence of file\r\n/dev/socket/qemud presence of file\r\n/dev/vboxguest presence of file\r\n/dev/vboxuser presence of file\r\n/fstab.vbox86 presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 10 of 20\n\nCheck Value to detect\r\n/init.vbox86.rc presence of file\r\n/mnt/prebundledapps/propfiles/ics.bluestacks.prop.note presence of file\r\n/mnt/prebundledapps/propfiles/ics.bluestacks.prop.s2 presence of file\r\n/mnt/prebundledapps/propfiles/ics.bluestacks.prop.s3 presence of file\r\n/mnt/sdcard/bstfolder/InputMapper/com.bluestacks.appmart.cfg presence of file\r\n/mnt/sdcard/buildroid-gapps-ics-20120317-signed.tgz presence of file\r\n/mnt/sdcard/windows/InputMapper/com.bluestacks.appmart.cfg presence of file\r\n/sys/bus/pci/drivers/vboxguest presence of file\r\n/sys/bus/pci/drivers/vboxguest/0000:00:04.0 presence of file\r\n/sys/bus/pci/drivers/vboxguest/bind presence of file\r\n/sys/bus/pci/drivers/vboxguest/module presence of file\r\n/sys/bus/pci/drivers/vboxguest/new_id presence of file\r\n/sys/bus/pci/drivers/vboxguest/remove_id presence of file\r\n/sys/bus/pci/drivers/vboxguest/uevent presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 11 of 20\n\nCheck Value to detect\r\n/sys/bus/pci/drivers/vboxguest/unbind presence of file\r\n/sys/bus/platform/drivers/qemu_pipe presence of file\r\n/sys/bus/platform/drivers/qemu_trace presence of file\r\n/sys/class/bdi/vboxsf-c presence of file\r\n/sys/class/misc/vboxuser presence of file\r\n/sys/devices/virtual/misc/vboxguest presence of file\r\n/sys/devices/virtual/misc/vboxguest/dev presence of file\r\n/sys/devices/virtual/misc/vboxguest/power presence of file\r\n/sys/devices/virtual/misc/vboxguest/subsystem presence of file\r\n/sys/devices/virtual/misc/vboxuser presence of file\r\n/sys/devices/virtual/misc/vboxuser/dev presence of file\r\n/sys/devices/virtual/misc/vboxuser/subsystem presence of file\r\n/sys/devices/virtual/misc/vboxuser/uevent presence of file\r\n/sys/module/vboxguest presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 12 of 20\n\nCheck Value to detect\r\n/sys/module/vboxguest/coresize presence of file\r\n/sys/module/vboxguest/drivers presence of file\r\n/sys/module/vboxguest/drivers/pci:vboxguest presence of file\r\n/sys/module/vboxguest/holders presence of file\r\n/sys/module/vboxguest/holders/vboxsf presence of file\r\n/sys/module/vboxguest/initstate presence of file\r\n/sys/module/vboxguest/notes presence of file\r\n/sys/module/vboxguest/notes/.note.gnu.build-id presence of file\r\n/sys/module/vboxguest/parameters presence of file\r\n/sys/module/vboxguest/parameters/log presence of file\r\n/sys/module/vboxguest/parameters/log_dest presence of file\r\n/sys/module/vboxguest/parameters/log_flags presence of file\r\n/sys/module/vboxguest/refcnt presence of file\r\n/sys/module/vboxguest/sections presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 13 of 20\n\nCheck Value to detect\r\n/sys/module/vboxguest/sections/.altinstr_replacement presence of file\r\n/sys/module/vboxguest/sections/.bss presence of file\r\n/sys/module/vboxguest/sections/.data presence of file\r\n/sys/module/vboxguest/sections/.exit.text presence of file\r\n/sys/module/vboxguest/sections/.fixup presence of file\r\n/sys/module/vboxguest/sections/.gnu.linkonce.this_module presence of file\r\n/sys/module/vboxguest/sections/.init.text presence of file\r\n/sys/module/vboxguest/sections/__ksymtab presence of file\r\n/sys/module/vboxguest/sections/__ksymtab_strings presence of file\r\n/sys/module/vboxguest/sections/.note.gnu.build-id presence of file\r\n/sys/module/vboxguest/sections/__param presence of file\r\n/sys/module/vboxguest/sections/.rodata.str1.1 presence of file\r\n/sys/module/vboxguest/sections/.smp_locks presence of file\r\n/sys/module/vboxguest/sections/.strtab presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 14 of 20\n\nCheck Value to detect\r\n/sys/module/vboxguest/sections/.symtab presence of file\r\n/sys/module/vboxguest/sections/.text presence of file\r\n/sys/module/vboxguest/srcversion presence of file\r\n/sys/module/vboxguest/taint presence of file\r\n/sys/module/vboxguest/uevent presence of file\r\n/sys/module/vboxguest/version presence of file\r\n/sys/module/vboxsf presence of file\r\n/sys/module/vboxsf/coresize presence of file\r\n/sys/module/vboxsf/holders presence of file\r\n/sys/module/vboxsf/initsize presence of file\r\n/sys/module/vboxsf/initstate presence of file\r\n/sys/module/vboxsf/notes presence of file\r\n/sys/module/vboxsf/notes/.note.gnu.build-id presence of file\r\n/sys/module/vboxsf/sections presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 15 of 20\n\nCheck Value to detect\r\n/sys/module/vboxsf/sections/.bss presence of file\r\n/sys/module/vboxsf/sections/__bug_table presence of file\r\n/sys/module/vboxsf/sections/.data presence of file\r\n/sys/module/vboxsf/sections/.exit.text presence of file\r\n/sys/module/vboxsf/sections/.note.gnu.build-id presence of file\r\n/sys/module/vboxsf/sections/.rodata presence of file\r\n/sys/module/vboxsf/sections/.rodata.str1.1 presence of file\r\n/sys/module/vboxsf/sections/.smp_locks presence of file\r\n/sys/module/vboxsf/sections/.strtab presence of file\r\n/sys/module/vboxsf/sections/.symtab presence of file\r\n/sys/module/vboxsf/sections/.text presence of file\r\n/sys/module/vboxsf/srcversion presence of file\r\n/sys/module/vboxsf/taint presence of file\r\n/sys/module/vboxsf/uevent presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 16 of 20\n\nCheck Value to detect\r\n/sys/module/vboxsf/version presence of file\r\n/sys/module/vboxvideo presence of file\r\n/sys/module/vboxvideo/coresize presence of file\r\n/sys/module/vboxvideo/holders presence of file\r\n/sys/module/vboxvideo/initsize presence of file\r\n/sys/module/vboxvideo/initstate presence of file\r\n/sys/module/vboxvideo/notes presence of file\r\n/sys/module/vboxvideo/notes/.note.gnu.build-id presence of file\r\n/sys/module/vboxvideo/refcnt presence of file\r\n/sys/module/vboxvideo/sections presence of file\r\n/sys/module/vboxvideo/sections/.exit.text presence of file\r\n/sys/module/vboxvideo/sections/.gnu.linkonce.this_module presence of file\r\n/sys/module/vboxvideo/sections/.init.text presence of file\r\n/sys/module/vboxvideo/sections/.note.gnu.build-id presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 17 of 20\n\nCheck Value to detect\r\n/sys/module/vboxvideo/sections/.rodata.str1.1 presence of file\r\n/sys/module/vboxvideo/sections/.strtab presence of file\r\n/sys/module/vboxvideo/sections/.symtab presence of file\r\n/sys/module/vboxvideo/sections/.text presence of file\r\n/sys/module/vboxvideo/srcversion presence of file\r\n/sys/module/vboxvideo/taint presence of file\r\n/sys/qemu_trace presence of file\r\n/system/app/bluestacksHome.apk presence of file\r\n/system/bin/get_androVM_host presence of file\r\n/system/bin/mount.vboxsf presence of file\r\n/system/etc/init.androVM.sh presence of file\r\n/system/etc/init.buildroid.sh presence of file\r\n/system/lib/hw/audio.primary.vbox86.so presence of file\r\n/system/lib/hw/camera.vbox86.so presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 18 of 20\n\nCheck Value to detect\r\n/system/lib/hw/gralloc.vbox86.so presence of file\r\n/system/lib/hw/sensors.vbox86.so presence of file\r\n/system/lib/libc_malloc_debug_qemu.so presence of file\r\n/system/lib/modules/3.0.8-android-x86+/extra/vboxsf presence of file\r\n/system/lib/modules/3.0.8-android-x86+/extra/vboxsf/vboxsf.ko\r\npresence of file\r\n/system/lib/vboxguest.ko presence of file\r\n/system/lib/vboxsf.ko presence of file\r\n/system/lib/vboxvideo.ko presence of file\r\n/system/usr/idc/androVM_Virtual_Input.idc presence of file\r\n/system/usr/keylayout/androVM_Virtual_Input.kl presence of file\r\n/system/xbin/mount.vboxsf presence of file\r\n/ueventd.android_x86.rc presence of file\r\n/ueventd.vbox86.rc presence of file\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 19 of 20\n\nCheck Value to detect\r\n----------------- -----------------\r\nSource: https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nhttps://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1"
	],
	"report_names": [
		"teardown-of-a-recent-variant-of-android-ztorg-part-1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434103,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac15d4c10fb85ddb251f6e75ffc4315e5dc2db51.pdf",
		"text": "https://archive.orkl.eu/ac15d4c10fb85ddb251f6e75ffc4315e5dc2db51.txt",
		"img": "https://archive.orkl.eu/ac15d4c10fb85ddb251f6e75ffc4315e5dc2db51.jpg"
	}
}