Related Links

Related Stories

Top 5 Stories


Pincer.A – new Android trojan warning

08 April 2013

A new Android trojan that pretends to be a security feature has been discovered. Once installed, it displays a ‘certificate’ logo, which, if clicked, pops up a message: “Certificate installed successfully! Your device is protected now.”

But the device is far from protected. The malware, its file name is ‘Certificate.apk’, was discovered and analyzed by F-Secure. It is able to forward SMS messages to its C&C server, and undertake functions based on commands it receives. “Previous malicious mobile applications pretending to be certificates have been mobile components of banking trojans aimed at defeating two-factor authentication. The fact Pincer is able to forward SMS messages means it can certainly also be used as such.”

The standard data sent to the C&C server includes phone number, device serial number, phone model, carrier, and OS version. However, the SMS forwarding mechanism makes it classic spyware able to steal any data that is communicated by the device via texts. 

While the ‘certificate’ logo is an attempt to ‘hide in plain site’, the trojan includes two additional devices to disguise its presence. The first is to confirm that the target is a genuine phone and not an emulator (researchers frequently use emulators while they are analyzing suspect code). It does this by checking the phone’s International Mobile Equipment Identity number (IMEI), the phone number, operator, and phone model; and is, says, F-Secure, a “common ‘anti-analysis’ technique used by Windows malware.”

The second device is the malware’s ability to pop-up reassuring messages on the screen. “The show_message command enables interesting interactivity as it displays a message to the victim, the message content comes from the C&C at the same time as the command itself is delivered,” notes F-Secure. Thus, if the hacker wished to do something on the Android that might draw suspicion to the infection, he could send a re-assuring message designed to allay fears and again avoid detection.

Interestingly, it was only last week that F-Secure commented on an analysis of the Android Stels trojan (the analysis was by Dell SecureWorks’ Brett Stone-Gross): “Stone-Gross's analysis is significant evidence of Android malware's evolution into mass-market crimeware.” Android Pincer.A is further and immediate confirmation.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×