New Android Malware Uses Tor Privacy Network

A new strain of Android malware uses the Tor privacy network to avoid detection while it snoops on your text messages, according to a report by Moscow-based security firm Kaspersky Lab.

Dubbed Backdoor.AndroidOS.Torec.a, the Trojan connects to what's called a command-and-control server, through which, as the name implies, the Trojan's creators can send commands to infected phones.

MORE: Mobile Security Guide: Everything You Need to Know

Once on your phone, the Trojan can collect and export a phone's vital information: telephone number, country, unique device ID, phone model, operating system and the names of all installed apps.

The malware can also prevent the user from sending and receiving SMS text messages, and can let the criminals send text messages to any number they specify through the command server.

This is especially serious if you have any kind of two-step verification enabled that sends unique verification codes to your mobile phone, because the criminals could intercept the codes and, if they know your primary password, could then access your online accounts.

The malware's code is largely based on a Tor client for Android called Orbot, Kaspersky security expert Roman Unuchek wrote on Securelist, the company's blog for security professionals. Unuchek didn't specify how the Trojan got onto infected phones, but noted that it didn't pose as Orbot in an attempt to get people to install it.

Tor, short for "The Onion Router," is an Internet networking protocol that anonymizes Web traffic by bouncing it around thousands of volunteer Tor network servers, or relays. Users with a Tor client can anonymously browse the Internet without their Web traffic being traced back to them.

Often, security researchers take down such cybercriminal operations by tracing the malware used back to command-and-control servers. Malware that uses Tor makes that much more difficult.

Similar Tor-based malware attacks have been seen on Windows computers for some time now. But Kaspersky says this is the first Android-based malware that uses Tor.

Websites hosted on the Tor network (most famously the now-defunct Silk Road black market) are difficult to trace back to a physical location because the network masks their IP addresses. Unuchek described the site behind this particular Android Trojan as "impossible to shut down."

The good news is that maintaining a Tor connection, while difficult to trace, is also very taxing on the device's battery. If your phone seems to be running out of juice much faster than usual, you should run an anti-malware scan.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • dalethepcman
    So they have no clue how anyone got this malware. Really good researchers.... Octacon.. really...Because everyone knows only android devices get malware. Always hating...
  • maddad
    So they have no clue how anyone got this malware. Really good researchers.... Octacon.. really...Because everyone knows only android devices get malware. Always hating...
    If this had been an Apple IOS malware story there would have been 600 comments about how terrible IOS is and how easy it is to hack. Because all the Android users just have to read and comment on "any" story about Apple. Instead there are only 2 comments. Only "1" bashing Android. And yet you cry foul!!!!
  • house70
    Where is this stuff? I mean, really, I'm craving to see the first Android phone that is actually infected with any of this. I have a lot of friends with Android-based phones and I browse a lot of Android-related forums, yet I still have not encountered one instance where someone could actually show us a phone that's infected. I call epic BS on each and every article like this until proof is shown. I understand AV writers have to make a living, but they could do it without false alarms. Each and every "researcher" also fails to demonstrate how one would need to defeat (actively) all the stop gaps put in place by default in the OS in order to get any malware on their phone. It's like having a permanent internet connection with NO firewall, no AV programs and ALL ports open. Show me a system like that that doesn't get spoofed in a few minutes. At least Apple is openly collaborating with the NSA, since any and all iPhones can be "penetrated" at any time. No reason to use malware there. LOL