Connect with us

Hi, what are you looking for?



Updated Tordow Android Malware Gets Ransomware Capabilities

An updated variant of the Tordow Android malware emerged last month featuring additional data collection capabilities and ransomware-like behavior, security researchers warn.

An updated variant of the Tordow Android malware emerged last month featuring additional data collection capabilities and ransomware-like behavior, security researchers warn.

The first Tordow variant was detailed in September this year, when the Android banking Trojan stood out because it was requesting root access, something that similar malware doesn’t usually do. What’s more, the malware’s components were found to be able to download additional modules that would allow the attackers to take full control of the compromised devices.

Additionally, Tordow can send, steal, and delete SMS messages and record, redirect, and block calls, while also being able to steal contacts, check user’s balance, and even download and install applications. On top of all that, it could steal various files from the compromised smartphones.

The updated malware variant, which Comodo refers to as Tordow v2.0, keeps all of these features, while also adding some more of them. Now, the Trojan can steal login credentials, manipulate banking data, and visit webpages, while also being capable of encrypting/decrypting files and removing security software, in addition to acting as ransomware.

The security researchers have observed the updated Trojan variant searching the Android and Google Chrome browsers for stored sensitive information. What’s more, they noticed that the malware collects data about the infected device’s hardware and software, including operating system, manufacturer, Internet Service Provider, and user location.

Courtesy of CryptoUtil class functions, the malware is now capable of encrypting and decrypting files using the AES algorithm. However, the security researchers also noticed that the Trojan uses the hardcoded key ‘MIIxxxxCgAwIB’ for the encryption process. The malware also uses AES to encrypt application package (APK) files that sport names such as cryptocomponent.2.

Comodo also reveals that the updated Tordow variant comes with nine different ways to check whether it has gained root privileges or not.

Advertisement. Scroll to continue reading.

The malware also sends its status to one of the attacker’s command-and-control (C&C) servers, and the availability of root access provides the adversary with the ability to do about anything on the compromised devices. It also makes it difficult to remove the threat from the system.

The malware spreads through infected variants of popular social media and gaming applications, including VKontakte (the Russian Facebook), Pokemon Go, Telegram, and Subway Surfers, available for download via third-party sites. The compromised apps usually behave like the legitimate ones, but also include embedded and encrypted malicious functionality such as an exploit pack for root access, access to downloadable Trojan modules, and C&C communication.

“Although the majority of victims have been in Russia, successful hacker techniques usually migrate to other parts of the globe. For protection against Tordow 2.0 and similar threats, users should keep their security software up-to-date, be suspicious of unsolicited links and attachments, and only download applications from official websites,” Comodo notes.

Related: “Gooligan” Android Malware Steals Authentication Tokens to Hack User Accounts

Related: Android Malware Improves Resilience

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...