Kaspersky Lab’s researchers have discovered a large-scale network that promotes applications infected with the Ztorg Trojan through advertising campaigns.

The sophisticated ad botnet has compromised hundreds of thousands of devices with malware that generates views for ads, discreet installation or even purchase of new applications, thus making money for its authors. The campaigns have been effective for more than a year with almost 100 compromised programs to date.

Most of them were very popular and experienced explosive growth – from 10 to 10 000 installations in just one day. In fact, the first Trojan sample discovered had over 1-million installations.

There are many botnets in cyberspace, and most exist to earn money. Botnets are often focused on advertising fraud – cybercriminals compromise user devices with malware that provides ad views and clicks on Google Play to install or purchase new applications – all yielding profit to the botnet’s author. The Ztorg distributors have exploited this classic process and taken it to new heights.

Ztorg itself is a very sophisticated Trojan with module architecture. The first thing it does after installation is connect to its command-and-control server and upload data about the device – including country, language, device model and OS version. Once all data is uploaded, Ztorg downloads a second – additional – module that uses several exploit packs to gain root privileges on an infected device. These rights allow the Trojan to act persistently on the device, displaying unsolicited ads to the user, delivering ads more aggressively, and discreetly installing news applications.

According to Kaspersky Lab researchers, Ztorg is distributed in two ways. Firstly, cybercriminals are buying out traffic from at least four popular legal advertising networks to promote compromised programmes. It is worth noting that Ztorg’s additional modules show ads from these networks. This leads to promotion recursion – users are compromised because of malicious ads from an advertising network and, after infection, they see even more ads from the same network because of the installed Trojan.

The second way Ztorg is distributed is via applications that pay users for installing other programmes from Google Play. These offer users $0.04-0.05 for installing an application infected with Ztorg. While users get their few cents reward, their devices go into zombie mode, displaying unwanted ads for the cybercriminals’ benefit.

“Throughout 2016, advertising Trojans capable of exploiting super-user rights were the No. 1 threat to mobile users. The multistage network that has been discovered promoting Ztorg indicates that this trend is still evolving. Very recent applications were uploaded on Google Play in May 2017, and we expect to see more of their kind soon,” says Roman Unuchek, senior malware analyst at Kaspersky Lab USA.