Several security firms recently discovered TOR based malware on android platform. As we received the sample, we make some quick analysis on it.
The sample has been reported to have C&C capability which is using unusual top level domain name (.onion). This TLD is usually used by TOR.
The use of Orbot TOR Client on this malware can be seen on its Java class:
The following screenshot is an example of permission that used by this malware and the capabilities to run TOR client:
We have discovered more functionality which is not just TOR but also taking advantage on SMS, contact, USSD, and listing installed apps.