Malware News Android Trojan Roots Devices, Steals Photos and Chrome's Database

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
An Android malware family identified as Trojan-Banker.AndroidOS.Tordow.a (Tordow in this article) has been making victims left and right, infecting smartphones, rooting the users' devices, and then stealing sensitive information and uploading it to the malware author's server.

Signs of this malware family appeared in February 2016, when first infections started popping up, mainly due to users downloading Android apps from unofficial third-party app stores.

Tordow distributed via clones of popular Android apps
Kaspersky Lab malware analyst Anton Kivva says that most of the apps that spread Tordow are clones of more popular Android apps such as VKontakte, DrugVokrug, Pokemon Go, Telegram, Odnoklassniki or Subway Surf.

Crooks take these apps, unpack their source code, add their own malicious code inside, repackage them, and upload the newly created clones to third-party app stores.

Users that download these apps, unwittingly triggered the malicious code inside them when they launched them for the first time.

Kivva says that this code is actually some sort of downloader which fetches more malicious code on the user's device. Some of this code is a package that contains an exploit that helps the malware gain root privileges on the device.

Tordow roots devices in order to steal sensitive data unseen
After getting root access, Tordow has full control over a device. The researcher says he found malicious functions inside the trojan's source code that hinted at several malicious capabilities such as the ability steal contacts, make phone calls, and send, steal, and delete SMS messages.

Additionally, the trojan can also download and run files on the device, install or remove apps, block access to a specific web page, rename files on the device, upload files from the device to an online server, and reboot the smartphone.

Savvy says that one of the local files which Tordow targets to steal is the database of the Android stock browser and Chrome for Android. This database contains the user's browsing history, but also his passwords. Other targeted files are the user's photos.

Not new, not unique
This is not by any means the first Android trojan that comes equipped with rooting capabilities, nor the first one that can steal photos and browsing history from the user's device.

For example, the Android.Loki trojan also roots devices, while the Marcher Android trojan can steal logins from a multitude of Android applications.

Other Android trojans that can root devices are Godless, Ztorg, Libskin, Matrix, Rootnik, and Shuanet.
 

exCode

Level 3
Verified
Sep 19, 2016
114
So kind of like that one piece of malware on the iPhone that the news was blowing up about that would jailbreak a user's phone and watch cam, listen to mic, etc? At least I don't use anything else than the Google Play store and occasionally apkpure when an app isn't in my country.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
What Android versions are vulnerable?
All, even Nougat (7)?
It would be interesting to know if any Android version can block the malware above..at least for now..
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
What Android versions are vulnerable?
All, even Nougat (7)?
It would be interesting to know if any Android version can block the malware above..at least for now..
 
L

LabZero

Usually these types of "root malware" can't be easily deleted.
Often it is necessary to restore your device as factory default but, because of the imposed root, also this solution doesn't always work.
The only certainty is prevention.
 
  • Like
Reactions: Der.Reisende

exCode

Level 3
Verified
Sep 19, 2016
114
Usually these types of "root malware" can't be easily deleted.
Often it is necessary to restore your device as factory default but, because of the imposed root, also this solution doesn't always work.
The only certainty is prevention.
The thing is, I'm completely fine with restoring my device. I actually do it a lot. Like right now, I'm downloading Nougat (on my really unstable internet, downloads completely stop in the middle sometimes.)
 
  • Like
Reactions: Der.Reisende

Entreri

Level 7
Verified
May 25, 2015
342
Anyone not using the official store should expecting this. If they drain your accounts, chock it up to a life lesson.

However, even the Android Store is iffy compared to Apple's.
 
  • Like
Reactions: Der.Reisende

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top