Pincer.A – new Android trojan warning

But the device is far from protected. The malware, its file name is ‘Certificate.apk’, was discovered and analyzed by F-Secure. It is able to forward SMS messages to its C&C server, and undertake functions based on commands it receives. “Previous malicious mobile applications pretending to be certificates have been mobile components of banking trojans aimed at defeating two-factor authentication. The fact Pincer is able to forward SMS messages means it can certainly also be used as such.”

The standard data sent to the C&C server includes phone number, device serial number, phone model, carrier, and OS version. However, the SMS forwarding mechanism makes it classic spyware able to steal any data that is communicated by the device via texts. 

While the ‘certificate’ logo is an attempt to ‘hide in plain site’, the trojan includes two additional devices to disguise its presence. The first is to confirm that the target is a genuine phone and not an emulator (researchers frequently use emulators while they are analyzing suspect code). It does this by checking the phone’s International Mobile Equipment Identity number (IMEI), the phone number, operator, and phone model; and is, says, F-Secure, a “common ‘anti-analysis’ technique used by Windows malware.”

The second device is the malware’s ability to pop-up reassuring messages on the screen. “The show_message command enables interesting interactivity as it displays a message to the victim, the message content comes from the C&C at the same time as the command itself is delivered,” notes F-Secure. Thus, if the hacker wished to do something on the Android that might draw suspicion to the infection, he could send a re-assuring message designed to allay fears and again avoid detection.

Interestingly, it was only last week that F-Secure commented on an analysis of the Android Stels trojan (the analysis was by Dell SecureWorks’ Brett Stone-Gross): “Stone-Gross's analysis is significant evidence of Android malware's evolution into mass-market crimeware.” Android Pincer.A is further and immediate confirmation.

What’s hot on Infosecurity Magazine?