Stories in this blog’s Breadcrumbs series have sought to comb through clues that point to the possible location and identities of malware authors and purveyors. But from time to time those clues lead definitively back to an individual. In today’s post, we’ll talk with the author of the Pincer Trojan for Android — a 32-year-old programmer at a mobile app development firm in Russia.
In April, Finnish security firm F-Secure first warned about Trojan:Android/Pincer.A, which comes disguised as a security certificate and is designed to surreptitiously intercept and forward text messages. As F-Secure notes, previous malicious mobile apps pretending to be certificates have been mobile components of banking Trojans aimed at defeating two-factor authentication.
F-Secure researchers observed that Pincer used the IMEI of the victim’s phone as an identifier, and that the Trojan would call home to a control server and report the device’s phone and serial numbers, phone model, carrier and OS version. They also found that Pincer checks to see if it’s being run in a virtual environment, which is a common trick designed to frustrate malware analysis tools used by security researchers.
Interestingly, F-Secure noted that the code within the trojan includes a class called “USSDDumbExtendedNetworkService” — a component that was assigned a seemingly arbitrary variable that F-Secure researchers said was probably either associated with a French Canadian concrete company or the Twitter handle of a young Russian whose Google+ page lists employment as “Android developer”.
I followed up with F-Secure about this post, and learned that the redacted portion of that post — the variable included in that first variant of the Pincer Trojan — was “senneco.com” (Virustotal’s analysis lists it as “com.senneco”). A quick search on Google turns up Twitter and Google+ accounts by this name belonging to a Yuri Shmakov from Novosibirsk, Russia. Shmakov’s Google+ page says he is a developer at Arello-Mobile, a mobile app development firm also in Novosibirsk.
A scan of Shmakov’s accounts turned up the email address firstname.lastname@example.org. I sent an email to that address, explaining F-Secure’s findings and asking whether the recipient had anything to do with the Pincer Trojan. To my surprise, Shmakov promptly replied that, why yes he had indeed created it as a freelance project.
Shmakov told me that, based on the client’s specifications, he suspected it might ultimately be put to nefarious uses. Even so, he completed the job and signed his work by including his nickname in the app’s code.
“I was working on this app for some months, and I was hoping that it would be really helpful,” Shmakov wrote. “[The] idea of this app is that you can set it up as a spam filter…block some calls and SMS remotely, from a Web service. I hoped that this will be [some kind of] blacklist, with logging about blocked [messages/calls]. But of course, I understood that client [did] not really want this.”
Shmakov said the guy who hired him to write the Android application used the email address email@example.com. But Shmakov declined to say why he decided to take the job even though he understood that his creation would be used for malicious purposes.
“The most difficult task to understand and to implement was to intercept the USSD execution value without root access,” Shmakov continued, switching to Russian in a second, more academic reply via email. “The related algorithm was a rather complicated one. For example, should you not succeed in transmitting the intercepted SMS over the Internet, then add it to the queue; had it spent too much time in the queue, then send it by SMS, etc. That being said, this is not really relevant to our case. By the way, it may indeed be worth creating such a service – the way I originally imagined it. Especially, having considered the fact that the mobile spam has finally taken over Russia.”
Whoever owns the address firstname.lastname@example.org did not respond to requests for comment. Update, Aug. 28, 8:55 a.m. ET: Heard from email@example.com, who was none too happy that I’d posted his email address. Alex wanted me to know that he was the one who really weaponized the Android application that Shmakov created.
“dear Brian., thank you for your email.The developer did not create the malware as his task was to create the legitimate application. having received the source codes i personally redesigned it into malware ( changed interface and added some features and tricks to it as well ). I am professional developer, but dont have sufficient experience in android applications development. P.S. i am very disappointed that you posted contact information in public, Now am receiving bulk spam emails on my email thank you very much for that.”
It is extremely common to find malware and cybercrime jobs that are outsourced to freelancers. In their excellent 2011 paper, “Dirty Jobs: The Role of Freelance Labor in Web Service Abuse,” (PDF), researchers from The University of California, San Diego delved into how cybercriminals crowdsource Web abuse. Also, it’s not unusual to see on underground forums individuals hiring out services to design various components of malware operations, from back-end administrative panels to user interfaces for point-and-click malware creation tools. This was the case with the Styx Exploit Pack, although the designers of that crimeware kit clearly had more personal ties to the individuals who were selling the malware.
In the United States, writing malware is a protected form of free speech, but only up to a point. Prosecutors have gone after malware writers who seek to spread their creations or who have created malicious software with full knowledge of how it will be used.
This seems to also be the case in Russia, albeit in a case involving the theft of hundreds of millions of dollars. Earlier this year, authorities there sentenced to prison a number of programmers who were hired to create individual components of the Carberp banking Trojan.” According to an account of the law enforcement action in the Russian news outlet Kommersant, Carberp was coded by a team of about 20-25 people under the age of 30. Most of the men had never met face-to-face. Each worked remotely and was responsible for developing specific modules of the Carberp code, components that were then transmitted to a main development server in Odessa, Ukraine.