UK Crooks Linked To Android Trojan Posing As Security App

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Research indicates UK crooks hungry for Android user banking info

Another dangerous Android Trojan has been found, using the disguise of a legitimate security app and sending stolen information to a UK-based mobile number.

The malicious Android application package file, named “Certificate.apk”, comes  disguised as a security download. One variant of the malware appeared on Android devices as a “Mobile Security” app.

Android Trojan linked to Russia and UK

Android hack smartphone GoolgleIt can forward on text messages to attackers once on a device, as well as perform other commands enforced by the attackers. The telephone number used to accept data from the Trojan is a +44 mobile number, indicating it is within the UK.

On analysis of the Trojan, a piece of code contained a link to the Twitter handle of a “young Russian whose Google+ page lists employment as ‘Android developer’,” security firm F-Secure noted.

That could indicate the malware was written in Russia, before being sold to UK criminals. It would also suggest a global operation, according to Sean Sullivan, security adviser at F-Secure, who told TechWeekEurope a banking Trojan crew was most likely behind the operation.

He also noted how the Perkele Android Trojan, which was selling on the underground for as much as $15,000, sent stolen data to some UK numbers.

TechWeek understands the Russian involved is employed by a legitimate app developer in Russia, but is believed to be doing illegitimate Android applications on the side.

The aim of the Pincer Android Trojan appears to be to intercept banking codes to bypass two-factor authentication.

“Previous malicious mobile applications pretending to be certificates have been mobile components of banking trojans aimed at defeating two-factor authentication. The fact Pincer is able to forward SMS messages means it can certainly also be used as such,” read a blog post from F-Secure.

“The IMEI of the phone is used as an identifier by the C&C server. Other information sent there includes phone number, device serial number, phone model, carrier and OS version.

“Of note: Pincer checks to see if it’s being run in an emulator by checking the IMEI, phone number, operator, and phone model – a common ‘anti-analysis’ technique used by Windows malware.”

Last week saw a significant milestone in the development of Android attack tactics, as the Cutwail botnet was used to send spam containing links to sites serving malware for the Google operating system.

What do you know about Internet security? Find out with our quiz!

Read also :