In late November 2016, Comodo Threat Research Labs discovered samples of the Android malware “Tordow v2.0” affecting clients in Russia. Tordow is the first mobile banking Trojan for the Android operating system that seeks to gain root privileges on infected devices. Typically, banking malware does not require root access to perform its malicious activities, but with root access hackers acquire a wider range of functionality.
Tordow 2.0 can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot a device, rename files, and act as ransomware. It searches the Android and Google Chrome browsers for stored sensitive information. Technical details show that Tordow 2.0 also collects data about device hardware and software, operating system, manufacturer, Internet Service Provider, and user location.
Tordow 2.0 possesses CryptoUtil class functions with which it can encrypt and decrypt files using the AES algorithm with the following hardcoded key: ‘MIIxxxxCgAwIB’. Its Android application package (APK) files, with names such as “cryptocomponent.2”, are encrypted with the AES algorithm.
Tordow 2.0 has nine different ways in which it verifies that it has gained root privileges. Its status is transmitted to one of the attacker’s command-and-control (C2) servers, such as one found at “https://2ip.ru”. With root access, the attacker can pretty much do anything, and it becomes difficult to remove such entrenched malware from an infected system.
Tordow spreads via common social media and gaming applications that have been downloaded, reverse-engineered, and sabotaged by malicious coders. Apps that have been exploited include VKontakte (the Russian Facebook), Pokemon Go, Telegram, and Subway Surfers. Infected programs are usually distributed from third-party sites not affiliated with official websites such as the Google Play and Apple stores, although both have had trouble with hosting and distributing infected apps before. Hijacked apps usually behave just as the original ones, but also include embedded and encrypted malicious functionality including the C2 communications, an exploit pack for root access, and access to downloadable Trojan modules.
Although the majority of victims have been in Russia, successful hacker techniques usually migrate to other parts of the globe. For protection against Tordow 2.0 and similar threats, users should keep their security software up-to-date, be suspicious of unsolicited links and attachments, and only download applications from official websites.
|Malware Name||Android.spy .Tordow|
|Analyst Name||G. Ravi Krishna Varma|
|Criminal Activities||Fake apk ,All information about os and mobile, Spying Region details , Root Device, Device Registration, Download ,Run and upgrade feature version of cryptocomponent and ExecuteTask (DOWNLOAD_AND_RUN , UPLOAD_FILE, LOCKEDDevice, LockURL ,ALARM REQUEST, UNLOCK Device, ENCRYPT_FILES , DECRYT_FILES, DELETE_FILES, GET_FILE_LIST, LOAD_HTTP_ URL , ADD_ALTERNATE_SERVER, RELOAD_LIB , SET_PREFERENCE,ABORT_ALL_SMS, MASK_ABORT_SMS ,SEND_SMS ,SEND_SMS2 ,FAKE_INBOX_SMS,FAKE_SENT_SMS, ABORT_ALL_CALLS, ABORT_ALL_CALLS, ABORT_INCOMING, ABORT_OUTGOING, ABORT_NUMBER, REDIRECTION_NUMBER, GET_ALL_SMS, GET_ALL_CONTACTS, CHECK_BALANSE, CALL, MASS_SEND_SMS).|
|Tordow Version||Version 1.0 and Version 2.0|
Technical overview of Tordow v2.0
Class Hierarchy of Tordow v2.0(Dec-2016)
Class Hierarchy of Tordow v1.0(Sep-2016)
Tordow v2.0 Functionalities :
1) All info :Information about all System details and Mobile details such OS Version , OS API Level , Device ,Model (and Product) , Build Version , Build Brand , Build CPU ABI , Build CPU ABI2, Build Hardware, Build ID ,Build Manufacturer , Build User and Build Host.
2) Get Region : Information about all Geographical region details( County and Cite) ,
ISP(Example: Airtel Broad Band) , Browser details( Browser name and Browser version ) and Android OS Version by Connecting “https://2ip.ru”.
3) Rooted Device : It is check whether mobile device rooted with 9 conditions listed below:
4) Device Registration : Any one of the rooted device conditions is matched, its stores rooted device information in spying server such as Build Device , Build Version of Device ,Package Name , SIM Operator details ,Root Device and Custom Root Device.
5) Download :It maintains upgrading version of hardcoded future encrypted apk names which are (/cryptocomponent.2, /cryptocomponent.3 and /cryptocomponent.4),file download server details are (http://XX.45.XX.34 and http://192.xx.0.xx).
Above mention all cryptocomponent.2 , cryptocomponent.3 and cryptocomponent.4 are future upgrade cryptocomponent apk file which will be encrypted by AES algorithm. The current version is cryptocomponent.1 which is also encrypted by AES algorithm.
6) Device Login: It maintains Device Login details such as Mobile IMEI number and other details .
7) Execute Task: It maintains list of ExecuteTask such as DOWNLOAD_AND_RUN , UPLOAD_FILE, LOCKEDDevice, LockURL ,ALARM REQUEST, UNLOCK Device, ENCRYPT_FILES , DECRYT_FILES, DELETE_FILES, GET_FILE_LIST, LOAD_HTTP_ URL , ADD_ALTERNATE_SERVER, RELOAD_LIB , SET_PREFERENCE,ABORT_ALL_SMS, MASK_ABORT_SMS ,SEND_SMS ,SEND_SMS2,FAKE_INBOX_SMS,FAKE_SENT_SMS,ABORT_ALL_CALLS, ABORT_ALL_CALLS, ABORT_INCOMING, ABORT_OUTGOING, ABORT_NUMBER, REDIRECTION_NUMBER, GET_ALL_SMS, GET_ALL_CONTACTS , CHECK_BALANSE, CALL and MASS_SEND_SMS.
8) CryptoUtil: It maintains CryptoUtil class functions to encrypt and decrypt files using AES algorithm with Hardcoded Key ‘MIIxxxxCgAwIB’.
9) Database Maintain : It maintains all spying information in a CoonDB.db.