Android Banking Trojan First to Gain Root Privileges

The first mobile banking Trojan that obtains root privileges on Android devices has been seen in the wild.

Developers behind an Android banking Trojan have fortified the malware with an exploit to help it gain root privileges; this is the first time a mobile banker that tries to obtain root privileges has been seen in the wild.

Researchers detected the Tordow Trojan in February, but attackers have apparently tweaked it over the last several months in order to help it gain root privileges.

Anton Kivva, a malware analyst with Kaspersky Lab, has been following the evolution of Tordow and described its recent updates in an in-depth Securelist post early Tuesday morning.

Once malicious code in the app is triggered, it downloads additional malware, including an exploit pack that’s downloaded to the system folder which grants the attacker root privileges on the device. With that, the attacker can do pretty much whatever he wants, Kivva writes.

The Trojan can steal credentials from browsers installed on infected devices, either the default Android browser or Chrome, if it’s installed, and eavesdrop on SMS messages and calls.

By being able to access browser information, attackers can glean bank account information from victims, such as logins, stored banking passwords, and cookies, assuming they’ve been saved in the browser.

To make matters worse, with super user rights, attackers can steal any file from an infected device, including photos, documents, and files that may contain further information on the victim’s device. The malware also affords an attacker the ability to reboot the device, make calls, steal contacts, and install and remove apps

According to Kaspersky Lab while the majority of victims have been in Russia, they’ve also seen some activity in Ukraine, China, and India.

Attackers are circulating the Trojan in fake versions of popular apps such as Pokémon Go, Telegram, and the European social networking app VKontakte. While the booby-trapped apps aren’t on the Google Play marketplace, attackers are relying on unsuspecting users installing them via third party sources.

Attackers have managed to leverage the popularity of Pokémon Go several times since the game’s debut in July, incorporating it into a backdoored RAT and using it to spread ransomware. Researchers with Kaspersky Lab warned last week that a malicious Android app with a Pokémon tilt, Guide for Pokémon GO, actually made it into Google Play and secretly gave attackers root access to 6,000 devices that it was installed on.

There have been a flurry of vulnerabilities that tricks users into allowing attackers root access on Android devices as of late.

Google was forced to remove a handful of apps from Play in June after they were found auto-rooting devices. At the time, experts at mobile security firm Lookout, who discovered the malware, called the auto-rooting one of the newest and persistent trends in mobile threats.

Scores of Android devices, more than 900,000, were vulnerable over the summer to Quadrooter, a family of vulnerabilities that allowed attackers to bypass mitigations in Android’s Linux kernel and in turn, gain root privileges. Like Tordow, to achieve root access via Quadrooter, an attacker would’ve had to trick a victim into downloading a malicious app.

There have been a growing number of Trojans that achieve root privileges and infect system directories of Android devices but the technique usually isn’t necessary for banking Trojans since they can often steal data through multiple avenues. Kivva said Tuesday though that given the ongoing trend of malware targeting root access, it was only a matter of time until banking malware adopted the method.

“Recently we have witnessed the growing trend of an increasing number of malware hunting for root access,” Kivva said, “It was just a matter of time before we saw the first banker doing the same thing. It’s extremely important to protect your device against these type threats, as it’s almost impossible to delete the malware once it received the root access.”

Suggested articles