Tordow mobile Trojan: An InfoSec professional’s newest nightmare

Trojan viruses, or any malware for that matter, are nothing new for mobile devices. Whether on iPhone or Android, the threats to mobile users have grown exponentially since the operating systems for these devices appeared. One such threat was identified last year as the banking Trojan “Tordow.” As time progressed, researchers have noticed the virus growing in power thanks to malicious coders tweaking Trodow’s abilities. As of recently, Tordow’s official upgrade, version 2.0, has made a mess in the security world.

In a report released by researcher G. Ravi Krishna Varma from Comodo, Tordow v2.0 was identified as “the first mobile banking Trojan for the Android operating system that seeks to gain root privileges on infected devices.” While this knowledge was discussed earlier by other researchers, like Kaspersky Lab’s version 1 report, Comodo’s report is of the first to actually show the complexity of Tordow v2.0. What I mean is that Comodo discusses the nine possible ways Tordow v2.0 tries gaining access while showing us the code.

One of the ways shown that is most significant includes how the ransomware encrypts files. Shown below, Tordow employs “CryptoUtil class functions to encrypt and decrypt files using AES algorithm with Hardcoded Key ‘MIIxxxxCgAwIB’”:

Another point of significance shown in the report (which I highly recommend reading for yourself) is how Tordow steals login details:

As the report states, Tordow v2.0 has been found running wild mostly in the Russian Federation, especially on applications like the popular social media site VKontake (often a hub for piracy), as well as everyone’s favorite waste of time, Pokemon Go. Varma notes in his report that the apps that contained Tordow v2.0 were downloaded on third-party sites and not Google Play or the Apple Store.

Now for the good news. While Tordow v2.0 is a vicious Trojan virus, you can prevent its infection by avoiding third-party download sites, keeping your mobile antivirus up-to-date, and being suspicious about any new download links. You will never be totally safe from dangerous ransomware in this era, as even yours truly became infected with mobile ransomware recently. Thankfully, I caught it quickly and removed it, but it just goes to show that even a member of the InfoSec community is just as vulnerable as the general population.

Photo credit: Comodo, Santeri Viinamäki

 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top