Tordow

Tordow is an Android banking Trojan first discovered in February 2016 by Kaspersky Lab and the first of its kind to include an exploit pack to gain root privileges seeks root privileges. Root access provides the perpetrators with additional capabilities for new types of attacks. The Trojan infects devices through copies of popular apps, such as VKontakte, DrugVokrug, Pokemon Go, Telegram, Odnoklassniki, and Subway Surf, distributed via third-party application stores. These apps perform the same functions as their legitimate counterparts, but with malicious functionality as well. Once an infected application is downloaded and launched on a host’s mobile device, it triggers the malicious code to call to the attacker’s servers and download the main Tordow payload containing several files, including the exploit to gain root privileges and any new versions of the Trojan. Its capabilities include, but are not limited to:

  • sending, stealing, and deleting SMS;
  • recording, redirecting, and blocking calls;
  • checking balances;
  • stealing contacts;
  • making calls;
  • changing the C2 server;
  • downloading and running files;
  • installing and removing applications;
  • blocking the device and displaying a web page specified by the malicious server;
  • generating and sending a list of files contained on the device; and
  • rebooting the device.

When the attackers gain root access, Tordow installs one of the downloaded modules in the system folder and then steals the database of the default Android browser and the Google Chrome browser, if it’s installed. The databases contain valuable sensitive data such as usernames, passwords, browsing history, and cookies. The attackers can then access many of the victim’s accounts.

Version 2 of the Tordow Android Trojan, discovered in November 2016, can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot a device, rename files, and act as ransomware.

Reporting

  • September 2016: Tordow was first detected in February 2016 and has been tweaked to evolve into its latest version. (SECURELIST)
     
  • September 2016: While the majority of victims have been in Russia, activity has been seen in Ukraine, China, and India. (Threatpost)

Technical Details

  • Securelist provides technical details on the Tordow Trojan, here.
     
  • Comodo provides technical details on the Tordow version 2, here.