Name of Malware: Ztorg (Ghostpush, MonkeyTest, Xinyinhe, Qysly, Gooligan)

Type of Malware: Trojan, backdoor

Affected Operating Systems: Android

Affected Device Types: Mobile phones, smartphones

Impact: medium

What is Ztorg?

Ztorg is a trojan for Android devices.

Its functions include unauthorised user tracking, stealing passwords, the silent installation of additional applications without the user's permission, and the collection of data on the mobile phone, such as its location and contacts.

Ztorg is a piece of malware that opens a backdoor to an infected device. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.

How did I get infected with Ztorg?

There are multiple ways to become infected with Ztorg.

Ztorg infections can be acquired via websites that contain malicious scripts placed there by attackers. The scripts are used to download and install the malware without the user's consent.

Ztorg may also have been actively installed, perhaps as part of the installation of a software package that appears harmless.

What do I have to do now?

The device that is at risk can be cleaned by removing the app in question. To remove the app, the user can activate Android's safe mode.
It may be necessary to reset/reinstall the device.

Further information on removing this malware can be found under Removing infections from smartphones and tablets.

Technical specifications

Further information on this malware can be found on the website of our project partner Fraunhofer FKIE.