The Ztorg trojan, also referred to as HEUR:Trojan.AndroidOS.Ztorg.ad, targets Android OS and masquerades as an app called “Guide for Pokémon Go.” It was previously available for download from the Google Play Store but was promptly removed when security researchers discovered it was malware and reported their findings. The malicious app has been downloaded over 500,000 times prior to its removal from the app store. Once installed, the malware remains dormant for a period of time as it determines whether it is on an actual Android device or on a virtual machine. This process is done to avoid analysis. After it determines that it is on an actual device, it collects information such as the model number, OS version, location, and language, and sends it to the attackers. It then installs hidden software designed to gain root access and push unwanted ads to the screen. It also has the ability to secretly download additional malware to the device at the request of the attacker.
- September 2016: The Pokemon Go guide app with half a million downloads hacks Android devices. (PC World)
- May 2017: A cybercriminal group is using "rewards apps" to install malicious apps on victim devices. Some of the "rewards apps" available through the official Play Store are delivering apps installed with the Ztorg trojan. (BleepingComputer)
- Securelist provides more technical details on HEUR:Trojan.AndroidOS.Ztorg.ad here.