An updated variant of the Tordow Android malware emerged last month featuring additional data collection capabilities and ransomware-like behavior, security researchers warn.
The first Tordow variant was detailed in September this year, when the Android banking Trojan stood out because it was requesting root access, something that similar malware doesn’t usually do. What’s more, the malware’s components were found to be able to download additional modules that would allow the attackers to take full control of the compromised devices.
Additionally, Tordow can send, steal, and delete SMS messages and record, redirect, and block calls, while also being able to steal contacts, check user’s balance, and even download and install applications. On top of all that, it could steal various files from the compromised smartphones.
The updated malware variant, which Comodo refers to as Tordow v2.0, keeps all of these features, while also adding some more of them. Now, the Trojan can steal login credentials, manipulate banking data, and visit webpages, while also being capable of encrypting/decrypting files and removing security software, in addition to acting as ransomware.
The security researchers have observed the updated Trojan variant searching the Android and Google Chrome browsers for stored sensitive information. What’s more, they noticed that the malware collects data about the infected device’s hardware and software, including operating system, manufacturer, Internet Service Provider, and user location.
Courtesy of CryptoUtil class functions, the malware is now capable of encrypting and decrypting files using the AES algorithm. However, the security researchers also noticed that the Trojan uses the hardcoded key ‘MIIxxxxCgAwIB’ for the encryption process. The malware also uses AES to encrypt application package (APK) files that sport names such as cryptocomponent.2.
Comodo also reveals that the updated Tordow variant comes with nine different ways to check whether it has gained root privileges or not.
The malware also sends its status to one of the attacker’s command-and-control (C&C) servers, and the availability of root access provides the adversary with the ability to do about anything on the compromised devices. It also makes it difficult to remove the threat from the system.
The malware spreads through infected variants of popular social media and gaming applications, including VKontakte (the Russian Facebook), Pokemon Go, Telegram, and Subway Surfers, available for download via third-party sites. The compromised apps usually behave like the legitimate ones, but also include embedded and encrypted malicious functionality such as an exploit pack for root access, access to downloadable Trojan modules, and C&C communication.
“Although the majority of victims have been in Russia, successful hacker techniques usually migrate to other parts of the globe. For protection against Tordow 2.0 and similar threats, users should keep their security software up-to-date, be suspicious of unsolicited links and attachments, and only download applications from official websites,” Comodo notes.
Related: “Gooligan” Android Malware Steals Authentication Tokens to Hack User Accounts
Related: Android Malware Improves Resilience