Tordow 2.0 Is Android Malware That Targets Your Bank Account

A new piece of Android malware, dubbed Tordow 2.0 targets peoples’ bank accounts. The platform that it appears on? Android. Here’s how to protect yourself.

Further Reading

Android Phones Found To Have BackDoor To China

New Android Malware Called Dirty Cow Can Root Phones

Tordow 2.0

First discovered in September 2016, security firm Comodo reports that the malware got a big update this month, making it scarier than ever. Tordow is a mobile banking Trojan that specifically targets Android devices. Comodo first found the malware affecting people in Russia.

The first version of the malware didn’t need root access to command your phone, but Torddow 2.0 does include root privileges.


Rooting is a process by which Android users gain privileged control, or root access, over their device. It gives you complete control over your device and lets you customize it in various ways. Rooting is similar to iOS jailbreaking, as it lets users alter/replace system settings, apps, and more.

Tordow Details—via Comodo

Tordow 2.0 Functions
  • Make phone calls
  • Control SMS messages
  • Download/install apps
  • Steal login credentials
  • Access contacts
  • Encrypt files
  • Visit web pages
  • Manipulate banking data
  • Remove security software
  • Reboot your device
  • Rename files
  • Act as ransomware

As you can see, the update to the original Tordow gives the malware a lot of control over your Android device. Additionally, it collects data about your device’s hardware and software, OS version, manufacturer, ISP and your location.

Nine Conditions For Root—via Comodo

Technical Details

Tordow 2.0 has CryptoUtil class functions. This lets it encrypt/decrypt files using the AES algorithm with a hard coded key: MIIxxxxCgAwlB. The malware has nine ways to verify that it has root access. It transmits its status to a command-and-control (C&C) server that the attacker controls.

It spreads via social media and gaming apps that hackers download, reverse engineer and sabotage. Exploited apps include Vkontakte (Russian Facebook), Pokemon Go, Telegram, and Subway Surfers).

Device Info It Obtains—via Comodo

Hacked apps behave just like the original, except they contain encrypted code that includes C&C communications, the exploit pack for root access and access to Trojan modules it can download.

“Although the majority of victims have been in Russia, successful hacker techniques usually migrate to other parts of the globe.”

How To Avoid

The main method of transmission is through infected apps hosted on third-party websites. If you only download apps from first-party Google Play, you should be fine. Avoid the tempting download links for Pokemon Go with built-in cheats or mods.

If you still want to use nonofficial apps, only use reputable websites like APKMirror or XDA Developers. These places verify third-party apps before they publish them.

It’s also a good idea to use antivirus software on your Android device. Big names like AVG, Kaspersky and Avast, are all available on Google Play.