Android malware “Tordow v2.0” which specifically affected to mobile bank user in Russia has been discovered by Threat Researchers of comodo TRL.

spoke person said ,Tordow is the first mobile banking Trojan for the Android operating system that seeks to gain root privileges on infected devices.

Root access of mobiles no needed to perform its malicious activities, but with root access hackers can do many things in mobile devices.

How danger Tordow v2.0:

Comodo Researcher’s said ,”Tordow 2.0 can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot a device, rename files, and act as ransomware.”

It can able to collect the the technical things in mobile devices including the information about device hardware and software, operating system, manufacturer, Internet Service Provider, and user location.

Ransomware funtionality:

Accordinng to the Report from comodo lab Crypto functionality has uniquely play with Ransomware operation .Tordow 2.0 possesses CryptoUtil class functions with which it can encrypt and decrypt files using the AES algorithm with the following hardcoded key: ‘MIIxxxxCgAwIB’. Its Android application package (APK) files, with names such as “cryptocomponent.2”, are encrypted with the AES algorithm.

How Tordow 2.0 gain root privilege:

There are nine different ways in which it verifies that it has gained root privileges. Its status is transmitted to one of the attacker’s command-and-control (C2) servers, such as one found at “https://2ip.ru”. With root access, the attacker can pretty much do anything, and it becomes difficult to remove such entrenched malware from an infected system.

Common way to spread Tordow 2.0:

Malware Researcher of Comodo TRL G. Ravi Krishna Varma said,Tordow spreads via common social media and gaming applications that have been downloaded, reverse-engineered, and sabotaged by malicious coders.

Apps that have been exploited include VKontakte (the Russian Facebook), Pokemon Go, Telegram, and Subway Surfers.

Infected programs are usually distributed from third-party sites not affiliated with official websites such as the Google Play and Apple stores, although both have had trouble with hosting and distributing infected apps before.

Affected applications are act as original one  but also include an exploit pack for root access, and access to downloadable Trojan modules, embedded and encrypted malicious functionality including the C2 communications,

Majority of victims & prevention :

Most of the victims has been affected in Russia  ,Comodo Request to the android users For protection against Tordow 2.0 and similar threats, users should keep their security software up-to-date, be suspicious of unsolicited links and attachments, and only download applications from official websites.

 

For more Technical Reference visit comodo blog .