All the files are hosted on the same Amazon S3 bucket: Unluckily, some interesting files and folders are not accessible (e.g.program, tmp), but all of the folders related to the file are accessible and we had a way to collect all the packages relying on the CDN for the privacy link.This extension is known as “z9 for Mobile Malware”, and was officially announced in September 2017.
The code relies on configuration downloaded from an URL which is not alive anymore: kmd.phaishey.com/ft/ and uses the IMSI of the phone to fetch the correct configuration file (e.g. Looking at the list of interesting files distributed by the CDN, we noticed the 404_and the 47001_0files.
So we decided to take a look into it, mostly because something about the shape of the email and the link were suspicious. The two files have the same size, but the hash is different.
After a quick check of the privacy links from the two applications, some things were clear: Other than the previously listed files there are other inaccessible files and folders related to logs (e.g. After a quick inspection of the file, it was clear that part of it was encoded in some way; in fact, it wasn’t a valid APK file.
Kaspersky Lab researchers said that the code is related to the Ztorg campaign, and during the months, they noticed that several times Ztorg droppers have been available on the Play Store.
So we decided to go further and understand if other infected applications have been uploaded and published.