Just a couple of weeks ago we reported about “Gooligan” attack affecting millions of Android devices worldwide. Now, Comodo Threat Research Labs have identified a new malware Tordow v2.0 which is the first mobile banking Trojan created specifically for Android devices affecting users in Russia.
It has become a serious threat for Android users because it tries to obtain root privileges after infecting a device, which is unlike other banking Trojan since they never seek to gain root privileges for performing their malicious tasks. The reason why this new malware tries to obtain root privileges is that the attacker wants to take full control of the device and perform a variety of operations.
According to Comodo Labs’ research team, this malware can perform the following functions on an infected device:
> Making phone calls > Monitoring SMS messages > Downloading additional software > Installing programs > Stealing login credentials > Accessing contacts list > Encrypting files stored on the device > Opening and visiting web pages > Handling banking data > Deleting security software > Rebooting the device > Renaming files > Asking for ransom by serving as ransomware > Collecting information about the software and hardware, operating system, model, internet service provider, manufacturer and location of the device.
Tordow 2.0 can search Google Chrome and Android browsers for locating sensitive information. The malware is being distributed via apps that are available on third-party stores online. Such as versions of Pokemon Go, Subway Surfer and Telegram that are available at third-party stores are all infected with the malware. If the user refrains from downloading apps from third-party sources, then it is able to prevent the infection. This is why security researchers always stress upon downloading apps from authentic and reliable sources.
In case a user downloads any of these third-party apps, which are delivered as APK files, the attackers perform reverse engineering to infect the device with Tordow 2.0 malware. The apps are then re-uploaded on the stores. It is also possible that the attackers try to distribute the infected apps through social media platforms. So always beware of such apps.
“Don’t download apps from a third-party store.”
When the Trojan is installed, it tries to obtain root privileges and once this is done, it creates contact with its command-and-control server and from there it gets additional instructions. The prime objective of the attackers is to use banking information and make some money easily. User’s financial information is in great danger due to Tordow 2.0. Since the malware obtains root privileges, therefore, it gets a bit difficult to delete it; using firmware to remove the source app that caused the issue in the first place will not help either.
The Trojan has CryptoUtil class functions through which it can easily encrypt/decrypt data via AES algorithm. This hardcoded key is used to perform data encryption: ‘MIIxxxxCgAwIB’. The android application package (APK) files “cryptocomponent.2” also get encrypted with the algorithm.
It is true that the malware is affecting users in Russia at the moment but such successful hacking operations usually get transmitted to other locations within no time. Therefore, the threat is ripe for all Android users. To prevent your device from getting infected, update the security software and be cautious while downloading apps or opening unsolicited attachments or URLs.