Kaspersky Lab


Press Releases


Ztorg botnet on the rise: more than a million devices compromised in a year

Cybercriminals build a massive botnet to cash-in on aggressive advertising

Kaspersky Lab’s researchers have discovered a large-scale network that promotes applications infected with the Ztorg Trojan through advertising campaigns. The sophisticated ad botnet has compromised hundreds of thousands of devices with malware that generates views for ads, discreet installation or even purchase of new applications, thus making money for its authors. The campaigns have been effective for more than a year with almost 100 compromised programs to date. Most of them were very popular and experienced explosive growth – from 10 to 10,000 installations in just one day. In fact, the first Trojan sample discovered had over 1,000,000 installations.

There are many botnets in cyberspace, and most exist to earn money. Botnets are often focused on advertising fraud - cybercriminals compromise user devices with malware that provides ad views and clicks on Google Play to install or purchase new applications – all yielding profit to the botnet’s author. The Ztorg distributors have exploited this classic process and taken it to new heights.


Ztorg itself is a very sophisticated Trojan with module architecture. The first thing it does after installation is connect to its command-and-control server and upload data about the device - including country, language, device model and OS version. Once all data is uploaded, Ztorg downloads a second – additional – module that uses several exploit packs to gain root privileges on an infected device. These rights allow the Trojan to act persistently on the device, displaying unsolicited ads to the user, delivering ads more aggressively, and discreetly installing news applications.


According to Kaspersky Lab researchers, Ztorg is distributed in two ways. Firstly, cybercriminals are buying out traffic from at least four popular legal advertising networks to promote compromised programs. It is worth noting that Ztorg’s additional modules show ads from these networks. This leads to promotion recursion – users are compromised because of malicious ads from an advertising network and, after infection, they see even more ads from the same network because of the installed Trojan.


The second way Ztorg is distributed is via applications that pay users for installing other programs from Google Play. These offer users $0.04-0.05 for installing an application infected with Ztorg. While users get their few cents reward, their devices go into zombie mode, displaying unwanted ads for the cybercriminals’ benefit.


“Throughout 2016 advertising Trojans capable of exploiting super-user rights were the No. 1 threat to mobile users. The multistage network that has been discovered promoting Ztorg indicates that this trend is still evolving. Very recent applications were uploaded on Google Play in May 2017, and we expect to see more of their kind soon,” concludes Roman Unuchek, Senior Malware Analyst at Kaspersky Lab USA.


To learn more about Ztorg botnet, please read the blog post, available on Securelist.com.


People concerned that they may face the Trojan should install a reliable security solution, such as Kaspersky Internet Security for Android, on their device. In addition, Kaspersky Lab advises users to always check that apps have been created by a reputable developer, to keep their OS and application software up-to-date, and not to download anything that looks at all suspicious or whose source cannot be verified.


Press Contact

Rhiannon Clarke

Send e-mail
Tel. +44-(0)118 909 0909

Download Documents

Kaspersky Lab on the Web

Virus Analyst Blogs