An Android malware family identified as Trojan-Banker.AndroidOS.Tordow.a (Tordow in this article) has been making victims left and right, infecting smartphones, rooting the users' devices, and then stealing sensitive information and uploading it to the malware author's server.
Signs of this malware family appeared in February 2016, when first infections started popping up, mainly due to users downloading Android apps from unofficial third-party app stores.
Tordow distributed via clones of popular Android appsKaspersky Lab malware analyst Anton Kivva says that most of the apps that spread Tordow are clones of more popular Android apps such as VKontakte, DrugVokrug, Pokemon Go, Telegram, Odnoklassniki or Subway Surf.
Crooks take these apps, unpack their source code, add their own malicious code inside, repackage them, and upload the newly created clones to third-party app stores.
Users that download these apps, unwittingly triggered the malicious code inside them when they launched them for the first time.
Kivva says that this code is actually some sort of downloader which fetches more malicious code on the user's device. Some of this code is a package that contains an exploit that helps the malware gain root privileges on the device.
Tordow roots devices in order to steal sensitive data unseenAfter getting root access, Tordow has full control over a device. The researcher says he found malicious functions inside the trojan's source code that hinted at several malicious capabilities such as the ability steal contacts, make phone calls, and send, steal, and delete SMS messages.
Additionally, the trojan can also download and run files on the device, install or remove apps, block access to a specific web page, rename files on the device, upload files from the device to an online server, and reboot the smartphone.
Savvy says that one of the local files which Tordow targets to steal is the database of the Android stock browser and Chrome for Android. This database contains the user's browsing history, but also his passwords. Other targeted files are the user's photos.
Not new, not uniqueThis is not by any means the first Android trojan that comes equipped with rooting capabilities, nor the first one that can steal photos and browsing history from the user's device.
For example, the Android.Loki trojan also roots devices, while the Marcher Android trojan can steal logins from a multitude of Android applications.
Other Android trojans that can root devices are Godless , Ztorg , Libskin , Matrix , Rootnik , and Shuanet .
