Mobile malware is cresting as it never has in the past, with new bugs being developed at breakneck speed. One of these, a new version of the Pincer trojan for Android that can intercept inbound text messages and forward them on, can compromise two-factor authentication protections.
Russian anti-virus company Doctor Web is warning users about Android.Pincer.2.origin, a serious threat that can steal SMS messages containing sensitive information such as mTAN codes, which are used to confirm online banking transactions. Essentially, it offers hackers a way around two-step authentication protection to thwart phishing scams and the like.
Unfortunately, Pincer 2 allows criminals to use the trojan for targeted attacks and to steal specific messages, not just cast a wide net. For example, it can specifically wait for SMS communications from two-factor systems that use text messages to verify a user’s identity, or services that send a text message with a randomized password when users want to log into an account. Twitter, for instance, just implemented such a scheme.
Like its predecessor, this malicious program is spread as a fake security certificate that tells users it “must” be installed onto his or her Android device. If a careless user does install the program and attempts to launch it, the crafty side of the bug kicks in: Android.Pincer.2.origin will display a fake notification about the certificate’s successful installation and will not perform any noticeable activities for a while in order to avoid detection.
Doctor Web found that to be loaded at startup, the trojan will make sure that its process – CheckCommandServices – will be run as a background service. If at some point Android.Pincer.2.origin is launched successfully at startup, it will connect to a remote Command & Control server and send information about the mobile device, including handset model, serial number, carrier, operating system, phone number and the availability of the root account.
After that, the program waits for the attackers to indicate the number from which the trojan needs to intercept messages. Attackers can also ask it to do a range of other things, including sending text messages using specified parameters or to certain numbers, sending USSD messages and displaying a message on the screen of the mobile device.
Read more: http://www.infosecurity-magazine.com/view/32610/new-android-trojan-can-thwart-twofactor-authentication/
