Tordow Android Trojan Roots Devices, Steals Photos, Contacts, Chrome Database

Share this…

Comodo security researchers have spotted version 2.0 of a deadly Android trojan named Tordow, which first came to light in February this year.

The trojan’s main feature is its ability to root Android devices, which in theory, gives the trojan the capability to carry out any malicious operation it wants.

According to the researchers who spotted Tordow 2.0, this trojan can execute a large number of intrusive operations, such as:

  • Initiate phone calls
  • Manage SMS messages
  • Download and install other apps
  • Access the phone’s contacts list
  • Encrypt files
  • Access remote URLs
  • Steal login credentials from other apps
  • Steal data from Google Chrome browsers
  • Interact with banking apps
  • Remove mobile security apps
  • Reboot the Android device
  • Access and rename files
  • Collect device details
  • Collect geo-location data

Tordow used as a banking trojan against Russian users

Special code found inside the trojan’s source allows it to gain root privileges. Tordow 2.0 also includes nine different methods through which it verifies that the root privileges have been obtained.

At this point, the trojan pings its C&C server, sends basic device information, and awaits for new commands.

Comodo says that in most cases, Tordow has been used as a banking trojan to phish login credentials for users of Russian banks.

Nevertheless, one of Tordow’s components can encrypt files with the AES encryption algorithm, using a hardcoded encryption key of MIIxxxxCgAwIB, which allows security researchers to decrypt files.

Tordow spreads via third-party app stores

The way users get infected with Tordow 2.0 is via third-party app stores that provide alternative download locations for various popular Android apps.

Tordow’s creators have downloaded popular apps, unpacked the apps, reverse-engineered the original code, added Tordow inside, repackaged the app, and uploaded it to these stores.

Some of the popular apps found infected with Tordow include clones after Pokemon GO, Subway Surfers, VKontakte, and Telegram, all popular apps in Russia.

Tordow 2.0 was first detected in November, while Kaspersky discovered Tordow 1.0 in September, but traced back its activivty to February 2016.