New Android trojan can thwart two-factor authentication

Russian anti-virus company Doctor Web is warning users about Android.Pincer.2.origin, a serious threat that can steal SMS messages containing sensitive information such as mTAN codes, which are used to confirm online banking transactions. Essentially, it offers hackers a way around two-step authentication protection to thwart phishing scams and the like.

Unfortunately, Pincer 2 allows criminals to use the trojan for targeted attacks and to steal specific messages, not just cast a wide net. For example, it can specifically wait for SMS communications from two-factor systems that use text messages to verify a user’s identity, or services that send a text message with a randomized password when users want to log into an account. Twitter, for instance, just implemented such a scheme.

Like its predecessor, this malicious program is spread as a fake security certificate that tells users it “must” be installed onto his or her Android device. If a careless user does install the program and attempts to launch it, the crafty side of the bug kicks in: Android.Pincer.2.origin will display a fake notification about the certificate’s successful installation and will not perform any noticeable activities for a while in order to avoid detection.

Doctor Web found that to be loaded at startup, the trojan will make sure that its process – CheckCommandServices – will be run as a background service. If at some point Android.Pincer.2.origin is launched successfully at startup, it will connect to a remote Command & Control server and send information about the mobile device, including handset model, serial number, carrier, operating system, phone number and the availability of the root account.

After that, the program waits for the attackers to indicate the number from which the trojan needs to intercept messages. Attackers can also ask it to do a range of other things, including sending text messages using specified parameters or to certain numbers, sending USSD messages and displaying a message on the screen of the mobile device.

Mobile malware is seeing a big shift, particularly for Android devices, which are hackers’ mobile targets better than 99% of the time. Researchers continue to find that the pace of mobile malware development is accelerating. A total of 22,750 new modifications of malicious programs targeting mobile devices were detected this past quarter by Kaspersky Lab, which is more than half of the total number of modifications detected in all of 2012.

What’s Hot on Infosecurity Magazine?