A Tordow Infection begins with the installation of a popular app, such as VKontakte, DrugVokrug, Pokemon Go, Telegram, Odnoklassniki or Subway Surf. In this particular case, we're not talking about the original apps but copies that are distributed outside the official Google Play store. Malware writers download legitimate applications, disassemble them and add new code and new files.
Anyone who possesses even a little knowledge of Android development can do it. The result is a new app that is very similar to the original, performs all the stated legitimate functions, but that also has the malicious functionality that the attackers need.
How it works
In the case in question, the code embedded in the legitimate app decrypts the file added by the cybercriminals in the app's resources and launches it.
The launched file calls the attacker's server and downloads the main part of Tordow, which contains links to download several more files - an exploit to gain root privileges, new versions of malware, and so on. The number of links may vary depending on the criminals' intentions; moreover, each downloaded file can also download from the server, decrypt and run new components. As a result, the infected device is loaded with several malicious modules; their number and functionality also depend on what the Tordow owners want to do. Either way, the attackers get the chance to remotely control the device by sending commands from the C&C.
As a result, cybercriminals get a full set of functions for stealing money from users by applying the methods that have already become traditional for mobile bankers and ransomware. The functionality of the malicious app includes:
- Sending, stealing, deleting SMS.
- Recording, redirecting, blocking calls.
- Checking the balance.
- Stealing contacts.
- Making calls.
- Changing the C&C.
- Downloading and running files.
- Installing and removing applications.
- Blocking the device and displaying a web page specified by a malicious server.
- Generating and sending a list of files contained on the device; sending and renaming of files.
- Rebooting a phone.
In addition to downloading modules belonging to the banking Trojan, Tordow (within the prescribed load chain of modules) also downloads a popular exploit pack to gain root privileges, which provides the malware with a new attack vector and unique features.
Firstly, the Trojan installs one of the downloaded modules in the system folder, which makes it difficult to remove.
Secondly, using superuser rights the attackers steal the database of the default Android browser and the Google Chrome browser if it's installed.
And thirdly, the superuser rights make it possible to steal almost any file in the system - from photos and documents to files containing mobile app account data.
These attacks can result in the theft of huge amounts of critical user data. We recommend that users do not install apps from unofficial sources and use antivirus solutions to protect Android-based devices.