Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
In late November 2016, Comodo Threat Research Labs discovered samples of the Android malware “Tordow v2.0” affecting clients in Russia. Tordow is the first mobile banking Trojan for the Android operating system that seeks to gain root privileges on infected devices. Typically, banking malware does not require root access to perform its malicious activities, but with root access hackers acquire a wider range of functionality.
Tordow 2.0 can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot a device, rename files, and act as ransomware. It searches the Android and Google Chrome browsers for stored sensitive information. Technical details show that Tordow 2.0 also collects data about device hardware and software, operating system, manufacturer, Internet Service Provider, and user location.
Tordow 2.0 possesses CryptoUtil class functions with which it can encrypt and decrypt files using the AES algorithm with the following hardcoded key: ‘MIIxxxxCgAwIB’. Its Android application package (APK) files, with names such as “cryptocomponent.2”, are encrypted with the AES algorithm.
Tordow 2.0 has nine different ways in which it verifies that it has gained root privileges. Its status is transmitted to one of the attacker’s command-and-control (C2) servers, such as one found at “https://2ip.ru”. With root access, the attacker can pretty much do anything, and it becomes difficult to remove such entrenched malware from an infected system.
Tordow spreads via common social media and gaming applications that have been downloaded, reverse-engineered, and sabotaged by malicious coders. Apps that have been exploited include VKontakte (the Russian Facebook), Pokemon Go, Telegram, and Subway Surfers. Infected programs are usually distributed from third-party sites not affiliated with official websites such as the Google Play and Apple stores, although both have had trouble with hosting and distributing infected apps before. Hijacked apps usually behave just as the original ones, but also include embedded and encrypted malicious functionality including the C2 communications, an exploit pack for root access, and access to downloadable Trojan modules.
Although the majority of victims have been in Russia, successful hacker techniques usually migrate to other parts of the globe. For protection against Tordow 2.0 and similar threats, users should keep their security software up-to-date, be suspicious of unsolicited links and attachments, and only download applications from official websites.
Technical overview of Tordow v2.0
Class Hierarchy of Tordow v2.0(Dec-2016)
Class Hierarchy of Tordow v1.0(Sep-2016)
Tordow v2.0 Functionalities :
1) All info :Information about all System details and Mobile details such OS Version , OS API Level , Device ,Model (and Product) , Build Version , Build Brand , Build CPU ABI , Build CPU ABI2, Build Hardware, Build ID ,Build Manufacturer , Build User and Build Host.
2) Get Region : Information about all Geographical region details( County and Cite) ,ISP(Example: Airtel Broad Band) , Browser details( Browser name and Browser version ) and Android OS Version by Connecting “https://2ip.ru”.
3) Rooted Device : It is check whether mobile device rooted with 9 conditions listed below:
4) Device Registration : Any one of the rooted device conditions is matched, its stores rooted device information in spying server such as Build Device , Build Version of Device ,Package Name , SIM Operator details ,Root Device and Custom Root Device.
5) Download :It maintains upgrading version of hardcoded future encrypted apk names which are (/cryptocomponent.2, /cryptocomponent.3 and /cryptocomponent.4),file download server details are (http://XX.45.XX.34 and http://192.xx.0.xx).
Note:Above mention all cryptocomponent.2 , cryptocomponent.3 and cryptocomponent.4 are future upgrade cryptocomponent apk file which will be encrypted by AES algorithm. The current version is cryptocomponent.1 which is also encrypted by AES algorithm.
6) Device Login: It maintains Device Login details such as Mobile IMEI number and other details .
7) Execute Task: It maintains list of ExecuteTask such as DOWNLOAD_AND_RUN , UPLOAD_FILE, LOCKEDDevice, LockURL ,ALARM REQUEST, UNLOCK Device, ENCRYPT_FILES , DECRYT_FILES, DELETE_FILES, GET_FILE_LIST, LOAD_HTTP_ URL , ADD_ALTERNATE_SERVER, RELOAD_LIB , SET_PREFERENCE,ABORT_ALL_SMS, MASK_ABORT_SMS ,SEND_SMS ,SEND_SMS2,FAKE_INBOX_SMS,FAKE_SENT_SMS,ABORT_ALL_CALLS, ABORT_ALL_CALLS, ABORT_INCOMING, ABORT_OUTGOING, ABORT_NUMBER, REDIRECTION_NUMBER, GET_ALL_SMS, GET_ALL_CONTACTS , CHECK_BALANSE, CALL and MASS_SEND_SMS.
8) CryptoUtil: It maintains CryptoUtil class functions to encrypt and decrypt files using AES algorithm with Hardcoded Key ‘MIIxxxxCgAwIB’.
9) Database Maintain : It maintains all spying information in a CoonDB.db.
Your Website Hacked???
Related Resource:
Android Antivirus
Antivirus
Tags: android antivirus,android security
Reading Time: 5 minutes Overview One of thefirst times the public witnessedfirsthandand realized the power of ransomware was when WannaCry broke out in 2017. The government, education, hospitals, energy, communications, manufacturing and many other key information infrastructure sectors suffered unprecedented losses.Looking back, thatwas just the beginning, as there have since been many versions, such asSimpleLocker, SamSam and WannaDecryptor for…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP