A wide-ranging catch-all Android malware known as Tordow v2.0 is affecting Russian victims, and researchers expect it to migrate to other parts of the globe.
Notably, Tordow is the first mobile banking Trojan for the Android operating system that seeks to gain root privileges on infected devices. According to Comodo Threat Research Labs, typically, banking malware does not require root access to perform its malicious activities. But, with root access, hackers acquire a wider range of functionality.
To wit: Tordow 2.0 can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot a device, rename files and act as ransomware. It searches the Android and Google Chrome browsers for stored sensitive information. Technical details show that Tordow 2.0 also collects data about device hardware and software, operating system, manufacturer, ISP and user location.
“Tordow 2.0 has nine different ways in which it verifies that it has gained root privileges,” Comodo researchers explained in an analysis. “Its status is transmitted to one of the attacker’s command-and-control (C2) servers. With root access, the attacker can pretty much do anything, and it becomes difficult to remove such entrenched malware from an infected system.”
Tordow spreads via common social media and gaming applications that have been downloaded, reverse-engineered and sabotaged by malicious coders. Apps that have been exploited include VKontakte (the Russian Facebook), Pokemon Go, Telegram and Subway Surfers. Hijacked apps usually behave just as the original ones, but also include embedded and encrypted malicious functionality including the C2 communications, an exploit pack for root access, and access to downloadable Trojan modules.
Infected programs are usually distributed from third-party sites not affiliated with Google Play, so users would be wise to stick with the official outlet. As always, for additional protection against Tordow 2.0 and similar threats, users should keep their security software up-to-date, and be suspicious of unsolicited links and attachments.
Photo © Wright Studio