Tordow (Trojan)

Main article: Trojans

2016: Smartphone attacks

Comodo researchers have identified a new version of the Tordow banking malware that attacks users in Russia. The Trojan is trying to gain root privileges on the device, which makes fighting it extremely problematic.

Tordow 2.0 is capable of performing ransomware functions, as well as intercepting phone calls, SMS messages, downloading and installing applications without the user's knowledge, stealing login passwords, rebooting devices, and, most dangerous, manipulating bank data and destroying mobile antiviruses.

Banking Trojan Tordow 2.0 tries to gain root privileges on smartphones

In addition, the malware collects and forwards to its command server all contact information stored in Android and Google Chrome, as well as detailed information about the device, its hardware components, installed software, operating system, manufacturer, Internet provider and the user's physical location.

The original Tordow was discovered earlier this year by Kaspersky Lab experts. This was the first Trojan for the Android operating system to seek superuser privileges (root) on an infected device. Usually, banking malware does not need root privileges, but attackers can perform much more operations with them and maintain control over the device for longer.

Comodo found that Tordow 2.0 has file encryption and decryption functions using the AES algorithm. Interestingly, the decryption key is sewn directly into the code: "MIIxxxxCgAwIB." Knowing this code, the user can regain access to encrypted files, so it will be incorrect to call him a full-fledged ransomware Trojan.

But even without this, Tordow 2.0 is a serious threat, especially since if it has root privileges, the only way to fix the malware is to reset the system to factory settings. This automatically means that all data on the device is lost.

Tordow 2.0 is distributed through client applications for social networks modified by attackers (in particular, VKontakte, Odnoklassniki and Telegram) and popular mobile games (Pokemon Go, Subway Surfers). Infected programs are distributed through unofficial app stores. Outwardly, they are no different from the real ones, but with them the user downloads a set of exploits that provide root access to the device and means of communication with the malware command center.

Comodo researchers point out that although the main goal of Tordow 2.0 is now Russian-speaking users, attackers in other countries may adopt the methods used by the malware in the near future.

Unofficial app stores for popular mobile platforms are often a hotbed for malicious apps. This also happens with official stores such as Google Play, but very rarely: the degree of control by the administration of official resources is still quite high. This cannot be said about third-party stores, "says Dmitry Gvozdev, CEO of Security Monitor. - In principle, official client applications that are offered to be downloaded or bought on unofficial resources are already quite suspicious in themselves: the likelihood that these applications will be filled with malware is extremely high.

Not downloading applications that raise minimal suspicion is the most effective way to protect against such threats. In addition, it is recommended to use mobile antiviruses that can prevent Trojans from penetrating devices and changing smartphone settings without the knowledge of users.

See also:

• Information security in banks
• Information security (Russian market)
• Information Security - Antiviruses