Security Experts:

Connect with us

Hi, what are you looking for?



Updated Tordow Android Malware Gets Ransomware Capabilities

An updated variant of the Tordow Android malware emerged last month featuring additional data collection capabilities and ransomware-like behavior, security researchers warn.

An updated variant of the Tordow Android malware emerged last month featuring additional data collection capabilities and ransomware-like behavior, security researchers warn.

The first Tordow variant was detailed in September this year, when the Android banking Trojan stood out because it was requesting root access, something that similar malware doesn’t usually do. What’s more, the malware’s components were found to be able to download additional modules that would allow the attackers to take full control of the compromised devices.

Additionally, Tordow can send, steal, and delete SMS messages and record, redirect, and block calls, while also being able to steal contacts, check user’s balance, and even download and install applications. On top of all that, it could steal various files from the compromised smartphones.

The updated malware variant, which Comodo refers to as Tordow v2.0, keeps all of these features, while also adding some more of them. Now, the Trojan can steal login credentials, manipulate banking data, and visit webpages, while also being capable of encrypting/decrypting files and removing security software, in addition to acting as ransomware.

The security researchers have observed the updated Trojan variant searching the Android and Google Chrome browsers for stored sensitive information. What’s more, they noticed that the malware collects data about the infected device’s hardware and software, including operating system, manufacturer, Internet Service Provider, and user location.

Courtesy of CryptoUtil class functions, the malware is now capable of encrypting and decrypting files using the AES algorithm. However, the security researchers also noticed that the Trojan uses the hardcoded key ‘MIIxxxxCgAwIB’ for the encryption process. The malware also uses AES to encrypt application package (APK) files that sport names such as cryptocomponent.2.

Comodo also reveals that the updated Tordow variant comes with nine different ways to check whether it has gained root privileges or not.

The malware also sends its status to one of the attacker’s command-and-control (C&C) servers, and the availability of root access provides the adversary with the ability to do about anything on the compromised devices. It also makes it difficult to remove the threat from the system.

The malware spreads through infected variants of popular social media and gaming applications, including VKontakte (the Russian Facebook), Pokemon Go, Telegram, and Subway Surfers, available for download via third-party sites. The compromised apps usually behave like the legitimate ones, but also include embedded and encrypted malicious functionality such as an exploit pack for root access, access to downloadable Trojan modules, and C&C communication.

“Although the majority of victims have been in Russia, successful hacker techniques usually migrate to other parts of the globe. For protection against Tordow 2.0 and similar threats, users should keep their security software up-to-date, be suspicious of unsolicited links and attachments, and only download applications from official websites,” Comodo notes.

Related: “Gooligan” Android Malware Steals Authentication Tokens to Hack User Accounts

Related: Android Malware Improves Resilience

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack