In the past, we’ve seen superuser rights exploit advertising applications such as Leech, Guerrilla, Ztorg. This use of root privileges is not typical, however, for banking malware attacks, because money can be stolen in numerous other ways that don’t require exclusive rights. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy. We had been watching the development of this malicious program closely and found that Tordow’s capabilities had significantly exceeded the functionality of most other banking malware, and this allowed cybercriminals to carry out new types of attacks.
A Tordow Infection begins with the installation of a popular app, such as VKontakte, DrugVokrug, Pokemon Go, Telegram, Odnoklassniki or Subway Surf. In this particular case, we’re not talking about the original apps but copies that are distributed outside the official Google Play store. Malware writers download legitimate applications, disassemble them and add new code and new files.
Code added to a legitimate application
Anyone who possesses even a little knowledge of Android development can do it. The result is a new app that is very similar to the original, performs all the stated legitimate functions, but that also has the malicious functionality that the attackers need.
How it works
In the case in question, the code embedded in the legitimate app decrypts the file added by the cybercriminals in the app’s resources and launches it.
The launched file calls the attacker’s server and downloads the main part of Tordow, which contains links to download several more files – an exploit to gain root privileges, new versions of malware, and so on. The number of links may vary depending on the criminals’ intentions; moreover, each downloaded file can also download from the server, decrypt and run new components. As a result, the infected device is loaded with several malicious modules; their number and functionality also depend on what the Tordow owners want to do. Either way, the attackers get the chance to remotely control the device by sending commands from the C&C.
As a result, cybercriminals get a full set of functions for stealing money from users by applying the methods that have already become traditional for mobile bankers and ransomware. The functionality of the malicious app includes:
- Sending, stealing, deleting SMS.
- Recording, redirecting, blocking calls.
- Checking the balance.
- Stealing contacts.
- Making calls.
- Changing the C&C.
- Downloading and running files.
- Installing and removing applications.
- Blocking the device and displaying a web page specified by a malicious server.
- Generating and sending a list of files contained on the device; sending and renaming of files.
- Rebooting a phone.
In addition to downloading modules belonging to the banking Trojan, Tordow (within the prescribed load chain of modules) also downloads a popular exploit pack to gain root privileges, which provides the malware with a new attack vector and unique features.
Firstly, the Trojan installs one of the downloaded modules in the system folder, which makes it difficult to remove.
Secondly, using superuser rights the attackers steal the database of the default Android browser and the Google Chrome browser if it’s installed.
Code for sending data from browsers to the server
These databases contain all the logins and passwords stored by the user in the browser, browsing history, cookies, and sometimes even saved bank card details.
Login and password from a specific site in the browser database
As a result, the attackers can gain access to several of the victim’s accounts on different sites.
And thirdly, the superuser rights make it possible to steal almost any file in the system – from photos and documents to files containing mobile app account data.