Tordow Android Trojan Roots Devices and Steals Personal Credentials
Security researchers of Comodo have discovered version 2.0 of a deadly Android trojan called Tordow, which first appeared in February, 2016. Bleepingcomputer.com posted on 15th December, 2016, stating that the main feature of trojan is its ability to root Android devices, which theoretically, gives trojan the competency of carrying out the malicious operation the Trojan wants.
Particularly, Tordow is first mobile banking Trojan for operating system of Android, which pursues to gain the root privileges on the infected devices. Comodo Threat research labs reveals that a typical banking malware doesn't required root access for executing malicious activities, however hackers gain extensive range of the functionality with root access.
To wit: Tordow 2.0 can make phone calls, download as well as install programs, control SMS messages, steal the login credentials and access contacts, visit webpages, encrypt files, manipulate the banking data, reboot device, eliminate security software, rename the files and also act as the ransomware. It searches browsers of Google Chrome and Android for the stored sensitive data. Technical details reveal that the Tordow 2.0, in addition, collects data about the device software and hardware, manufacturer, operating system, ISP and location of the user.
Trojan's source contains a special code which enables trojan to gain the root privileges. Tordow 2.0 further includes 9 different ways to verify that the root privileges were acquired. At this point, the trojan beeps its C&C server, sends basic information of the device and waits for the new commands.
One of the components of Tordow can encrypt files with AES encryption algorithm using a hardcoded encryption key of MIIxxxxCgAwIB allowing security researchers to decrypt files.
Tordow spreads through common gaming applications and social media, which were downloaded, reverse-engineered as well as damaged by the malicious coders. Applications which are exploited include Pokemon Go, VKontakte (the Russian Facebook), Subway Surfers and Telegram. Hijacked apps normally behave just like original ones, although it also include implanted as well as encrypted malicious functionality comprising C2 communications, exploit pack for the root access as well as access to Trojan modules which are downloadable.
Users should always keep their security software updated for extra protection against 2.0 and similar threats and always be suspicious about unsolicited attachments and links.
» SPAMfighter News - 12/21/2016