Wednesday, May 22, 2013

The new Android-stealing malicious SMS - SayberCekyuriti.Ru

company “Doctor Web” found a new malicious program for the platform Android, capable of intercepting incoming SMS messages and forward them to the attacker. Trojan Android.Pincer.2.origin is a very serious threat to users, as in stolen them messages may be including checking mTAN-codes that are used by various financial systems, such as “Client-Bank” for confirmation of transactions, as well as other confidential user information.

Trojan detected by several experts days ago is the second known member of the family Android.Pincer. Like its predecessor, the updated malware spreads as a security certificate, which supposedly want to install on your mobile Android-powered device. If the unwary user installs and tries to run the Trojan, Android.Pincer.2.origin show a false report about the successful installation of the certificate, and then the time will not show any significant activity.

To loaded with the operating system, the Trojan registers a system service CheckCommandServices, which subsequently runs as a background service. In case of a successful start at the next turn Android.Pincer.2.origin mobile device connects to a remote server and downloads the malicious him a number of information about the mobile device. Among them:

model name;
serial number;
the name of your service provider;
cell phone;
language used by default in the system;
version of the operating system;
information on whether there is a root-access.

Next malware waiting for admission from intruders control SMS message with text type «command: [team name]“, containing an indication for further actions. Cybercriminals, the following guidelines:

start_sms_forwarding [telephone number] – to begin the interception of communications with the specified number;
stop_sms_forwarding – complete interception of communications;
send_sms [phone number and the text] – send SMS specified parameters;
simple_execute_ussd – execute USSD-request;
stop_program – stop working;
show_message – display a message on the screen of the mobile device;
set_urls – change the address of the management server;
ping – send SMS with text pong at a pre-specified number;
set_sms_number – to change the number that goes with the text message pong.

Team start_sms_forwarding is of particular interest because it enables attackers to specify Trojan, messages from what number he needs to intercept. This feature enables the use of malware as a tool to carry out targeted attacks and steal, so specific SMS messages, such as messages from the system “Client-Bank” containing mTAN-checking codes or SMS confidential, intended for various categories of persons from simple users to corporate executives and government agencies.

Embed to blog: