[tor-talk] Orbot built-into new Android malware

Nathan Freitas nathan at freitas.net
Tue Feb 25 01:11:26 UTC 2014


The screenshot on this page shows that they've included the Orbot source
itself right into the app. +1 for open-source, -1 for sneaky malware
using .Onion C&C's.

http://www.securelist.com/ru/blog/207769023/Pervyy_TOR_troyanets_pod_Android

(google translation below)

TOR First Trojan for Android
Roman Unuchek
Expert "Kaspersky Lab"
published February 24, 2014, 13:09 MSK
Topics: Threats to mobile devices , Google Android
0.1


Virus writers are creating Android-Trojans, traditionally used as a
sample functional Windows malware. Now, another "trick» Windows Trojan
malware is implemented under Android: we found the first Android-Trojan,
who as a C & C uses the domain of pseudo-zone. Onion. Thus, the Trojan
uses the anonymous network Tor, built on a network of proxy servers. In
addition to providing user anonymity, Tor allows you to post in the
blast zone. Onion «anonymous» sites accessible only to Tor.



Backdoor.AndroidOS.Torec.a is a variation of the popular Tor-client
Orbot. Attackers have added your code in this application, the Trojan
does not impersonating Orbot, it simply uses the functionality of the
client.



Trojan can get to the C & C the following commands:



start / stop intercepting incoming SMS
start / stop the theft of incoming SMS
make USSD request
send to C & C data on the phone (the phone number, country, IMEI, model,
version of OS)
send to C & C list of installed applications on your mobile device
send SMS to the number specified in the command
Using TOR has to intruders its pros and cons. Among the advantages that
such a C & C can not be closed. The disadvantages include the need for
it is worth the additional code. To Backdoor.AndroidOS.Torec.a could use
Tor, it took much more code than for its own functionality.


More information about the tor-talk mailing list