Android/Pincer.A!tr.spy

description-logoAnalysis

Android/Pincer.A!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a Certificate application. However, in the background, it listens for SMS messages with certain keywords that are hidden from the victim. These messages contain commands that enable the victim's phone to perform functions such as SMS forwarding, selective call blocking, sending SMS, sending HTTP messages to the C&C etc.

Technical Details


The main application is called "Certificate" (ref Fig1) and comes in the package "com.security.cert"

Fig1 : Application Icon
When the application is launched for the first time, the victim sees a screen as seen in Fig2

Fig2 : Upon launching the application for the first time
Every time the application is launched after that the victim sees a screen as seen in Fig3

Fig3 : Subsequent application launches
However, in the background, the following malicious activities are carried out :
Registration : When the application is launched for the first time, an HTTP request is sent to the C&C serverwith the JSON object
{action: register, device_model: [Build.MODEL], 
device_serial_numer: [android_id], device_imei: [IMEI], 
carrier: [Network_Operator_Name], os_version: Build.RELEASE, 
phone_number: [Victim's_Phone_Number], defaul_delay: 30, 
rooted: [true/false, depending on whether the phone is rooted], 
language: [Phone_Language], app_version: 2.0}

Commands Queue & Check Commands : If the registration succeeds, an HTTP request is sent to the C&C with JSON object
{action: check_commands, user_id: [IMEI]}
If registration or further HTTP requests fail, depending upon the value of a function sendSmsOnFailure() (i.e. true or false), the message is sent via SMS to "+447937XXXXX4".
The JSON object is then appended to the contents of a field "queue" in the shared preferences with the separator " ???@~**undefined"
The queue is then periodically processed depending upon the keyword as described in the table below. The periodicity of the queue processing is specified by "delay" in the shared preferences
SmsReceiver : This receiver is launched when an SMS message is received on the phone. If the message body starts with the keyword "command": is received, it is hidden from the end user.
Next, depending upon the keyword following the command the following functions are performed :
KEYWORD with optional JSON object Function performed
start_sms_forwarding + {"phone_number": [PH]} Updates the value of "numbers_to_sms_divert" to PH in the shared preferences
start_call_blocking + {"phone_number": [PH]} Enables the PhoneCallReceiver and updates the value "numbers_to_call_block" to PH in the shared preferences. This value is used to selectively block to/from the phone
stop_sms_forwarding Clears the value of "numbers_to_sms_divert" in the shared preferences
stop_call_blocking Clears the value of "user_id" in the shared preferences
send_sms + {"phone_number": [PH], "message_text": [TXT]} Sends an SMS message to the PH with contents TXT
execute_ussd + {"ussd_query": [USSD]} Starts the UssdActivity
simple_execute_ussd + {"ussd_query": [USSD]} Calls the number "USSD#" then starts the UssdActivity
stop_program It sets the value of "is_program_stopped" to true in the shared preferences and all running components of the program are stopped
show_message + {"message_text": [MSG] Displays a message to the victim with content MSG
delay_change + {"delay": [DELAY]} Sets the value of "recheck_commands_delay" to DELAY in the shared preferences
ping Sends an SMS message to "+447937XXXXX4" with the message body {action: pong, user_id: [IMEI]} (Some variants use the number +447937XXXXX5 or +447937XXXX8)

If the phone number of the received SMS equals "numbers_to_sms_divert", an HTTP request is sent to the C&C server with the JSON object
{action: submit_sms, user_id: [IMEI], sender_phone_number: [PH], sms_text: [MSG]}
where PH=Sender's phone number, MSG=SMS message body.
PhoneCallReceiver : This receiver is started when the phone state changes i.e. an incoming or outgoing call occurs. If the source/destination phone number equals the value of "numbers_to_call_block" in the shared preferences, the call is blocked.
Next, the Commands Queue & Check Commands process is carried out.
UssdActivity : When started, an HTTP request is sent to the C&C server with the JSON object
{action: submit_ussd, user_id: [IMEI], query: [USSD], result : ":RETVAL;(" + [RES] + ":ON;)"
where USSD = obtained from the shared prefences & RES is the response received from calling the "ussd" number.
The malware is started automatically each time the victim's phone is restarted.
The C&C server can be either
https://[REMOVED].com/android_panel/gate.php
or
http://XXX.XXX.XXX.115:9081/Xq0jzoPa/g_L8jNgO.php
or
http://XX.XXX.XX.109/gate/gate.php
dependin upon the variant
NOTE : Some variants of the malware contain different combinations of the following anti-debugging tricks that prevent it from being run on a emulator.
The malware is not run if the
  • Network Operator Name is "Android"
  • IMEI is "000000000000000" or "012345678912345" or "351565050260436" or "357242043237517"
  • Phone Number is "15555215554"
  • Build.FINGERPRINT is "generic"
  • Build.MODEL is "sdk" or "generic"
  • Build.PRODUCT is "sdk"
  • Build.HARDWARE is "goldfish"
  • (The above values are default values for an Android emulator)
  • A debugger is connected i.e. Debug.isDebuggerConnected() is true.
  • The phone is not rooted i.e. the file "/system/app/Superuser.apk" is not found

  • Permissions required by the application:
    • INTERNET
    • SEND_SMS
    • READ_LOGS
    • CALL_PHONE
    • RECEIVE_SMS
    • CALL_PRIVILEGED
    • READ_PHONE_STATE
    • MODIFY_PHONE_STATE
    • RECEIVE_BOOT_COMPLETED
    Certificate info : The variants are signed with different certificates such as "Owner: CN=A, OU=B, O=C, L=D, ST=E, C=US", "Owner: CN=Mohammad", "Owner: CN=Mohammad al Sayed, C=ZA" or "Andorid Debug"

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-04-12 67.75300