TOR Based APK Trojan

Several security firms recently discovered TOR based malware on android platform. As we received the sample, we make some quick analysis on it.

The sample has been reported to have C&C capability which is using unusual top level domain name (.onion). This TLD is usually used by TOR.
The use of Orbot TOR Client on this malware can be seen on its Java class:
Orbot TOR Client class

The following screenshot is an example of permission that used by this malware and the capabilities to run TOR client:

Permissions TOR Client Service

We have discovered more functionality which is not just TOR but also taking advantage on SMS, contact, USSD, and listing installed apps.

Leave a Reply

Your email address will not be published. Required fields are marked *