{
	"id": "f0a3d83b-020c-44f1-80bf-3d5db207a93a",
	"created_at": "2026-04-06T00:07:54.820911Z",
	"updated_at": "2026-04-10T13:12:59.305062Z",
	"deleted_at": null,
	"sha1_hash": "b9e707a8e18bc46081304840bdbacbd15082e21f",
	"title": "Ztorg: from rooting to SMS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 394765,
	"plain_text": "Ztorg: from rooting to SMS\r\nBy Roman Unuchek\r\nPublished: 2017-06-20 · Archived: 2026-04-05 16:16:04 UTC\r\nI’ve been monitoring Google Play Store for new Ztorg Trojans since September 2016, and have so far found\r\nseveral dozen new malicious apps. All of them were rooting malware that used exploits to gain root rights on the\r\ninfected device.\r\nThen, in the second half of May 2017 I found one that wasn’t. Distributed on Google Play through two malicious\r\napps, it is related to the Ztorg Trojans, although not a rooting malware but a Trojan-SMS that can send Premium\r\nrate SMS and delete incoming SMS. The apps had been installed from Google Play more than 50,000 and 10,000\r\ntimes respectively.\r\nKaspersky Lab products detect the two Trojan apps as Trojan-SMS.AndroidOS.Ztorg.a. We reported the malware\r\nto Google, and both apps have been deleted from the Google Play Store.\r\nThe first malicious app, called “Magic browser” was uploaded to Google Play on May 15, 2017 and was installed\r\nmore than 50,000 times.\r\nhttps://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nPage 1 of 8\n\nTrojan-SMS.AndroidOS.Ztorg.a on Google Play Store\r\nThe second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000\r\ntimes.\r\nhttps://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nPage 2 of 8\n\nTrojan-SMS.AndroidOS.Ztorg.a on Google Play Store\r\nWhat can they do?\r\nAfter starting, the Trojan will wait for 10 minutes before connecting to its command and control (C\u0026C) server. It\r\nuses an interesting technique to get commands from the C\u0026C: it makes two GET requests to the C\u0026C, and in both\r\nincludes part of the International Mobile Subscriber Identity (IMSI). The first request will look like this:\r\nGET c.phaishey.com/ft/x250_c.txt, where 250 – first three digits of the IMSI.\r\nIf the Trojan receives some data in return, it will make the second request. The second request will look like this:\r\nGET c.phaishey.com/ft/x25001_0.txt, where 25001 – first five digits of the IMSI.\r\nWhy does the Trojan need these digits from the IMSI?\r\nhttps://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nPage 3 of 8\n\nThe interesting thing about the IMSI is that the first three digits are the MCC (mobile country code) and the fourth\r\nand fifth digits are the MNC (mobile network code). Using these digits, the cybercriminals can identify the\r\ncountry and mobile operator of the infected user. They need this to choose which premium rate SMS should be\r\nsent.\r\nIn answer to these requests, the Trojan may receive an encrypted JSON file with some data. This data should\r\ninclude a list of offers, and every offer carries a string field called ‘url’, which may or may not contain an actual\r\nurl. The Trojan will try to open/view the field using its own class. If this value is indeed a url, the Trojan will show\r\nits content to the user. But if it is something else and carries an “SMS” substring, the user will send an SMS\r\ncontaining the text supplied to the number provided.\r\nMalicious code where the Trojan decides if it should send an SMS.\r\nThis is an unusual way to send SMS. Just after it receives urls to visit, or SMS to send, the Trojan will turn off the\r\ndevice sound, and start to delete all incoming SMS.\r\nI wasn’t able to get any commands for the Trojans distributed through Google Play. But for other Trojans located\r\nelsewhere that have the same functionality, I got the command:\r\n{“icon”:”http://down.rbksbtmk.com/pic/four-dault-06.jpg”,”id”:”-1″,”name”:”Brower”,”result”:1,”status”:1,”url”:”http://global.621.co/trace?\r\noffer_id=111049\u0026aff_id=100414\u0026type=1″}\r\nIt was a regular advertising offer.\r\nWAP billing subscriptions\r\nI was able to find several more malicious apps with the same functionality distributed outside the Google Play\r\nStore. The interesting thing is that they don’t look like standalone Trojans, more like an additional module for\r\nsome Trojan.\r\nFurther investigation revealed that these Trojans were installed by a regular Ztorg Trojan along with other Ztorg\r\nmodules.\r\nIn a few of these Trojans, I found that they download a JS file from the malicious url using the MCC.\r\nhttps://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nPage 4 of 8\n\nMalicious code where the Trojan downloads a JS file.\r\nI downloaded several JS files, using different MCC’s, to find out what cybercriminals are going to do with users\r\nfrom a different countries. I wasn’t able to get a file for a US MCC, but for other countries that I tried I received\r\nfiles with some functions. All the files contain a function called “getAocPage” which most likely references AoC\r\n– Advice of Charge. After analyzing these files, I found out that their main purpose is to perform clickjacking\r\nattacks on web pages with WAP billing. In doing so, the Trojan can steal money from the user’s mobile account.\r\nWAP billing works in a similar way to Premium rate SMS, but usually in the form of subscriptions and not one-time payments as most Premium rate SMS.\r\nJS file from a CnC for Russian users (MCC = 250)\r\nIt means that urls which the Trojan receives from the CnC may not only be advertising urls, but also urls with\r\nWAP billing subscriptions. Furthermore some Trojans with this functionality use CnC urls that contain\r\nhttps://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nPage 5 of 8\n\n“/subscribe/api/” which may reference subscriptions too.\r\nAll of these Trojans, including Trojans from Google Play, are trying to send SMS from any device. To do so they\r\nare using lots of methods to send SMS:\r\nPart of the “Magic browser” app’s code\r\nIn total, the “Magic browser” app tries to send SMS from 11 different places in its code. Cybercriminals are doing\r\nthis in order to be able to send SMS from different Android versions and devices. Furthermore, I was able to find\r\nanother modification of the Trojan-SMS.AndroidOS.Ztorg that is trying to send an SMS via the “am” command,\r\nalthough this approach should not work.\r\nhttps://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nPage 6 of 8\n\nConnection with the Ztorg malware family\r\nThe “Magic browser” app was promoted in a similar way to other Ztorg Trojans. Both the Magic browser” and\r\n“Noise detector” apps shared code similarities with other Ztorg Trojans. Furthermore, the latest version of the\r\n“Noise detector” app contains the encrypted file “girl.png” in the assets folder of the installation package. After\r\ndecryption, this file become a Ztorg Trojan.\r\nI found several more Trojans with the same functionality that were installed by a regular Ztorg Trojan along with\r\nthe other Ztorg modules. And it isn’t the first case where additional Ztorg modules were distributed from Google\r\nPlay as a standalone Trojan. In April 2017, I found that a malicious app called “Money Converter”, had been\r\ninstalled more than 10,000 times from Google Play. It uses Accessibility Services to install apps from Google\r\nPlay. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even\r\non updated devices where it cannot gain root rights.\r\nTrojan-SMS vs. rooting\r\nThere were two malicious apps on Google Play with the same functionality – “Noise Detector” and “Magic\r\nbrowser” but I think that they each had a different purpose. “Magic browser” was uploaded first and I assume that\r\nthe cybercriminals were checking if they were able to upload this kind of functionality. After they uploaded the\r\nmalicious app they didn’t update it with newer versions.\r\nBut it is a different story with “Noise Detector” – here it looks like the cybercriminals were trying to upload an\r\napp infected with a regular version of the Ztorg Trojan. But in the process of uploading they decided to add some\r\nmalicious functionality to make money while they were working on publishing the rooting malware. And the\r\nhistory of “Noise Detector” updates prove it.\r\nOn May 20 they uploaded a clean app called “Noise Detector”. A few days later they updated it with another clean\r\nversion.\r\nThen, a few days after that, they uploaded a version to Google Play that contained an encrypted Ztorg Trojan, but\r\nwithout the possibility of decrypting and executing it. On the following day they finally updated their app with the\r\nTrojan-SMS functionality, but still didn’t add the possibility to execute the encrypted Ztorg module. It is likely\r\nthat, if the app hadn’t been removed from Google Play, they would have added this functionality at the next stage.\r\nThere is also the possibility that attempting to add this functionality is what alerted Google to the Trojan’s\r\npresence and resulted in its deletion.\r\nhttps://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nPage 7 of 8\n\nConclusions\r\nWe found a very unusual Trojan-SMS being distributed through Google Play. It not only uses around a dozen\r\nmethods to send SMS, but also initializes these methods in an unusual way: by processing web-page loading\r\nerrors using a command from the CnC. And it can open advertising urls. Furthermore, it is related to Ztorg\r\nmalware with the same functionality, that is often installed by Ztorg as an additional module.\r\nBy analyzing these apps I found that cybercriminals are working on clickjacking WAP billing. It means that these\r\nTrojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and\r\nsteal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all\r\nincoming SMS.\r\nThis isn’t the first time that the cybercriminals distributed Ztorg modules through Google Play. For example, on\r\nApril 2017 they uploaded a module that can click on Google Play Store app buttons to install or even buy\r\npromoted apps.\r\nMost likely, the attackers are publishing Ztorg modules to make some additional money while they are trying to\r\nupload the regular rooting Ztorg Trojan. I suggest this because one of the malicious apps had an encrypted Ztorg\r\nmodule but it wasn’t able to decrypt it.\r\nMD5\r\nF1EC3B4AD740B422EC33246C51E4782F\r\nE448EF7470D1155B19D3CAC2E013CA0F\r\n55366B684CE62AB7954C74269868CD91\r\nA44A9811DB4F7D39CAC0765A5E1621AC\r\n1142C1D53E4FBCEFC5CCD7A6F5DC7177\r\nSource: https://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nhttps://securelist.com/ztorg-from-rooting-to-sms/78775/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/ztorg-from-rooting-to-sms/78775/"
	],
	"report_names": [
		"78775"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434074,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9e707a8e18bc46081304840bdbacbd15082e21f.pdf",
		"text": "https://archive.orkl.eu/b9e707a8e18bc46081304840bdbacbd15082e21f.txt",
		"img": "https://archive.orkl.eu/b9e707a8e18bc46081304840bdbacbd15082e21f.jpg"
	}
}