Ztorg¶
Rooting trojan that was uploaded to Google Play almost 100 times across different apps, including "Privacy Lock" which reached 1M+ installs. Extensively documented by Kaspersky/Securelist in 2016-2017, Ztorg used modular architecture with updatable root exploit packs and monetized through WAP billing clickjacking. Later variants added SMS trojan capabilities. Connected to the broader Triada ecosystem.
Overview¶
| Property | Value |
|---|---|
| First Seen | December 2015 |
| Type | Rooting trojan / Backdoor |
| Attribution | Unknown (connected to Triada ecosystem) |
| Aliases | Trojan.AndroidOS.Ztorg (Kaspersky), Backdoor.AndroidOS.Ztorg |
Distribution¶
Distributed exclusively through Google Play. Uploaded approximately 100 times as different apps. At least 3 new infected apps per month from September 2016 onward. Notable apps:
- "Privacy Lock" (1M+ installs, December 2015)
- "Magic browser" (50,000+ installs, May 2017)
Capabilities¶
| Capability | Implementation |
|---|---|
| Modular root exploits | Updatable root exploit packs for gaining system-level access |
| Post-root persistence | Survived factory resets via /system installation |
| Ad fraud | Clickjacking on WAP billing pages to steal from mobile accounts |
| App management | Delete or download apps on C2 command |
| SMS trojan | 2017 variant: send premium-rate SMS, delete incoming SMS |
| Modular architecture | Downloaded and updated functional modules from C2 |
Monetization¶
Ztorg primarily monetized through clickjacking attacks on web pages with WAP billing. After rooting the device and gaining system-level access, it could silently interact with WAP billing pages to subscribe victims to premium services without their knowledge.