Trojan-Banker.AndroidOS.Tordow.a was discovered in February 2016 by the researchers at Kaspersky Lab. Anton Kivva is the name of the malware analyst member of the Kaspersky team who has been following the progress of Tordow since then. Eventually, he has found that the capabilities of this malicious program go beyond the typical functionalities of other banking malware.
He has ascertained that Tordow Trojan has the functionality to gain exclusive rights and use root privileges to make its infection most efficient. Thus cyber criminals can carry out new types of Android attacks.
Counterfeit Versions of Popular Android Apps Distribute Tordow
Counterfeit versions of popular applications like Pokemon Go, VKontakte, DrugVokrug, Odnoklassniki or Subway Surf or Telegram distribute the Trojan. Malware writers quite skillfully dissembled the code of the popular apps and added their malicious code to them. As a result, the apps are quite the same as the legitimate ones in appearance and performing. They continue to carry out all legitimate functions but besides malicious stealth functionalities successfully steal sensitive information.
The good news is that the apps are distributed outside the official Google Play store. So as long as the users use caution when downloading and installing apps via third-party sources there is no risk of infection with Tordow Android banking Trojan. We recommend users to avoid any downloads from untrusted sources.
Tordow Android Banking Trojan in Action
Once the clone app is running on the device, the malicious file embedded in the code also launches. Afterward, it has the functionality to establish a connection with the server of the attackers and then download the main part of Tordow. The download pack includes an exploit that once running allows the the attackers to control the device by sending commands from the C&C remotely. Except applying the traditional methods for stealing money from the users like download and run files, reboot the phone, taking the contacts, etc. creators of Tordow go further and gain root privileges of the device. Thereby they can collect sensitive user data.
Superuser rights allow the attackers to steal the database of the default Android browser and the Google Chrome browser. The information stored in the database will provide them with details about all logins and passwords entered in the browser. Furthermore, browsing history, cookies and all saved bank credit details can be easily seen and reached. All photos and documents on the device are also easily accessed. Eventually, Tordow infection can lead to the flow of huge amounts of critical user data.
See more of Anton Kivva’s disclosures of Tordow Android banking Trojan in his post for Securelist.
In conclusion, we recommend all Android users to install software only from official sources. The use of antivirus solutions will prevent infection with Trojan-Banker.AndroidOS.Tordow.a. Stay safe!