Malware descriptions

The banker that can steal anything

In the past, we’ve seen superuser rights exploit advertising applications such as Leech, Guerrilla, Ztorg. This use of root privileges is not typical, however, for banking malware attacks, because money can be stolen in numerous other ways that don’t require exclusive rights. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy. We had been watching the development of this malicious program closely and found that Tordow’s capabilities had significantly exceeded the functionality of most other banking malware, and this allowed cybercriminals to carry out new types of attacks.

Penetration

A Tordow Infection begins with the installation of a popular app, such as VKontakte, DrugVokrug, Pokemon Go, Telegram, Odnoklassniki or Subway Surf. In this particular case, we’re not talking about the original apps but copies that are distributed outside the official Google Play store. Malware writers download legitimate applications, disassemble them and add new code and new files.

The banker that can steal anything

Code added to a legitimate application

Anyone who possesses even a little knowledge of Android development can do it. The result is a new app that is very similar to the original, performs all the stated legitimate functions, but that also has the malicious functionality that the attackers need.

How it works

In the case in question, the code embedded in the legitimate app decrypts the file added by the cybercriminals in the app’s resources and launches it.

The launched file calls the attacker’s server and downloads the main part of Tordow, which contains links to download several more files – an exploit to gain root privileges, new versions of malware, and so on. The number of links may vary depending on the criminals’ intentions; moreover, each downloaded file can also download from the server, decrypt and run new components. As a result, the infected device is loaded with several malicious modules; their number and functionality also depend on what the Tordow owners want to do. Either way, the attackers get the chance to remotely control the device by sending commands from the C&C.

As a result, cybercriminals get a full set of functions for stealing money from users by applying the methods that have already become traditional for mobile bankers and ransomware. The functionality of the malicious app includes:

  • Sending, stealing, deleting SMS.
  • Recording, redirecting, blocking calls.
  • Checking the balance.
  • Stealing contacts.
  • Making calls.
  • Changing the C&C.
  • Downloading and running files.
  • Installing and removing applications.
  • Blocking the device and displaying a web page specified by a malicious server.
  • Generating and sending a list of files contained on the device; sending and renaming of files.
  • Rebooting a phone.

Superuser rights

In addition to downloading modules belonging to the banking Trojan, Tordow (within the prescribed load chain of modules) also downloads a popular exploit pack to gain root privileges, which provides the malware with a new attack vector and unique features.

Firstly, the Trojan installs one of the downloaded modules in the system folder, which makes it difficult to remove.

Secondly, using superuser rights the attackers steal the database of the default Android browser and the Google Chrome browser if it’s installed.

The banker that can steal anything

Code for sending data from browsers to the server

These databases contain all the logins and passwords stored by the user in the browser, browsing history, cookies, and sometimes even saved bank card details.

The banker that can steal anything

Login and password from a specific site in the browser database

As a result, the attackers can gain access to several of the victim’s accounts on different sites.

And thirdly, the superuser rights make it possible to steal almost any file in the system – from photos and documents to files containing mobile app account data.

These attacks can result in the theft of huge amounts of critical user data. We recommend that users do not install apps from unofficial sources and use antivirus solutions to protect Android-based devices.

MD5

06CBA6FF7E9BCF2C61EF2DD8B5E73A30
3C1B589DA2F8DB972E358DD96F9B54B0
5F5906017C6F7D7DE5BD50440969E532
8E00657A004F3040E850CA361DE64D64
ACF114BB47A624438ADA26B8D449C06D

The banker that can steal anything

Your email address will not be published. Required fields are marked *

 

  1. Kyler

    Great report, thanks for doing what you do!

    The passwords in the browser database aren’t hashed or encrypted? Storing this type of critical data without severe security protections is irresponsible.

  2. Steven Chen

    Hi have samples share?? 🙂 File or MD5

  3. Butch Pilapil

    Thanks for the info.

  4. Jim Mattson

    Thank you for your wonderful work!

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox