Malware for the Android mobile operating system is using the TOR anonymity network, researchers said.
The Onion Router (TOR) is software that offers privacy when browsing the Internet by routing encrypted traffic between a user and a website through a network of worldwide servers. TOR can also host websites on a hidden network.
The Android malware uses a TOR website as a command-and-control server, said Roman Unuchek of Kaspersky Lab in a blog post. Command-and-control servers end up used to send instructions to the malware.
Adding TOR functions to desktop malware programs is nothing new. The latest finding shows hackers are targeting mobile devices, which often hold valuable personal data. The malware can intercept SMSs, and collect other data, such as a user’s phone number, the device’s IMEI and the country where the device ends up located and request GPS coordinates.
TOR-enabled websites, which included ones such as now defunct Silk Road marketplace, end up denoted by “.onion” at the end of their URL. TOR websites are difficult to trace because the network masks the site’s true IP address, making it difficult to know which hosting company supports it.
Unuchek said using a TOR site as a command-and-control server makes it “impossible to shut down.”
The malware, which Kaspersky calls “Backdoor.AndroidOS.Torec.a” uses a package of software, called Orbot developed by The TOR Project that enables TOR on Android.
The malware doesn’t try to pretend to be Orbot in an attempt to get people to download it but instead “simply uses the functionality” of the Orbot client, Unuchek said.