Protip: don’t install an Android application package file if it’s named “Certificate.apk”.
It’s not legit (obviously).
Trojan:Android/Pincer.A is able to forward SMS messages and perform other actions based on commands it receives from its C&C. When installed, it will appear in the application menu as “Certificate” and will display related bogus messages when run.
Previous malicious mobile applications pretending to be certificates have been mobile components of banking trojans aimed at defeating two-factor authentication. The fact Pincer is able to forward SMS messages means it can certainly also be used as such.
The commands Pincer waits for are:
The show_message command enables interesting interactivity as it displays a message to the victim, the message content comes from the C&C at the same time as the command itself is delivered.
The call-home destinations for the trojan are http://198.xxx.xxx.xxx:9081/Xq0jzoPa/g_L8jNgO.php and +4479372xxxxx.
The IMEI of the phone is used as an identifier by the C&C server. Other information sent there includes phone number, device serial number, phone model, carrier, and OS version.
Of note: Pincer checks to see if it’s being run in an emulator by checking the IMEI, phone number, operator, and phone model. (A common “anti-analysis” technique used by Windows malware.)
Additional similar samples:
And on a final note…
The trojan includes a class called USSDDumbExtendedNetworkService. The URI_AUTHORITY variable is set to [redacted].com — and the redacted word is either associated with a French Canadian concrete company or else it may be the Twitter handle of a young Russian whose Google+ page lists employment as “Android developer”.
We don’t have any “concrete” evidence… but we’re pretty sure Pincer doesn’t have anything to do with Canada.
Technical analysis by — Mikko Suominen
Updated to add:
Here’s two more Pincer samples discovered from data mining:
This one is essentially the same as previous three, but has a different C&C URL (https://xxx-xxxxx.com/android_panel/gate.php) and certificate. It was first seen in VirusTotal a week earlier than the first of the previously discovered samples.
This is a more interesting sample, clearly an earlier variant (submitted on March 19th to VirusTotal). This version doesn’t pretend to be certificate. Instead it calls itself “Mobile Security”.
The sample crashed on start, but based on static analysis, it would display the message “Mobile Security System is active now. You are protected.” The icon is the same as in other variants. The name of the package is also different. The other samples use com.security.cert or com.security.certificate, this one is com.[redacted].diverter.
Yeah… that’s a feature you don’t want in your “mobile security”.