Updated Android Malware Gains Strength

Wednesday, December 21, 2016 @ 04:12 PM gHale

With Android such a popular mobile system, users need to be aware that an updated Tordow Android malware added data collection capabilities and a ransomware-like behavior.

The updated malware variant, which Comodo refers to as Tordow v2.0, keeps all of the original features like requesting root access, download additional modules that would allow the attackers to take full control of the compromised devices, send, steal, and delete SMS messages and record, redirect, and block calls, steal contacts, check the user’s balance, download and install applications, and steal various files from the compromised smartphones.

Android Devices Packed with Trojans
AirDroid Fixes Security Woes
Android December Patches Release
Android Malware Hits Google Accounts

In addition to all the old features, the Trojan can now steal login credentials, manipulate banking data, and visit webpages, while also being capable of encrypting/decrypting files and removing security software, in addition to acting as ransomware.

Researchers observed the updated Trojan searching the Android and Google Chrome browsers for stored sensitive information. In addition, they found the malware collects data about the infected device’s hardware and software, including operating system, manufacturer, Internet Service Provider, and user location.

The malware is capable of encrypting and decrypting files using the AES algorithm. Researchers also found the Trojan uses the hardcoded key ‘MIIxxxxCgAwIB’ for the encryption process. The malware also uses AES to encrypt application package (APK) files that has names like cryptocomponent.2.

Comodo said in a blog post also found the latest Tordow variant comes with nine different ways to check whether it has gained root privileges or not.

The malware also sends its status to one of the attacker’s command-and-control (C&C) servers, and the availability of root access provides the attacker with the ability to do about anything on the compromised devices. It also makes it difficult to remove the threat from the system.

The malware spreads through infected variants of popular social media and gaming applications, including VKontakte (the Russian Facebook), Pokemon Go, Telegram, and Subway Surfers, available for download via third-party sites.

Leave a Reply

You must be logged in to post a comment.