New Android malware forwards incoming messages to hacker

A new type of Android malware that can intercept text messages and forwarding to hackers is discovered by the Russian firm Doctor Web. This is a very serious threat to users, because using this malware attackers can easily get two factor authentication code of your Email or bank accounts.

The malware, dubbed as Android.Pincer.2.origin, is the second form of the original Android.Pincer malware and is distributed as security certificates that the user must install.

Upon launching Android.Pincer.2.origin, the user will see a fake notification about the certificate’s successful installation but after that, the Trojan will not perform any noticeable activities for a while.

Android.Pincer.2.origin connects to a server and send text messages in addition to the other information as the smartphone model, serial, IMEI and phone number and the Android version is used.

To malware then receive instructions from commands in the following format:

• start_sms_forwarding [telephone number] - begin intercepting communications from a specified number
• stop_sms_forwarding - stop intercepting messages
• send_sms [phone number and text] - send a short message using the specified parameters
• simple_execute_ussd - send a USSD message
• stop_program - stop working
• show_message - display a message on the screen of the mobile device
• set_urls - change the address of the control server
• ping - send an SMS containing the text 'pong' to a previously specified number
• set_sms_number - change the number to which messages containing the text string 'pong' are sent.

The command start_sms_forwarding is of particular interest since it allows attackers to indicate the number from which the Trojan needs to intercept messages. This feature enables criminals to use the Trojan for targeted attacks and steal specific messages.