August 27, 2013

Stories in this blog’s Breadcrumbs series have sought to comb through clues that point to the possible location and identities of malware authors and purveyors.  But from time to time those clues lead definitively back to an individual. In today’s post, we’ll talk with the author of  the Pincer Trojan for Android — a 32-year-old programmer at a mobile app development firm in Russia.

bwshadowIn April, Finnish security firm F-Secure  first warned about Trojan:Android/Pincer.A, which comes disguised as a security certificate and is designed to surreptitiously intercept and forward text messages. As F-Secure notes, previous malicious mobile apps pretending to be certificates have been mobile components of banking Trojans aimed at defeating two-factor authentication.

F-Secure researchers observed that Pincer used the IMEI of the victim’s phone as an identifier, and that the Trojan would call home to a control server and report the device’s phone and serial numbers, phone model, carrier and OS version. They also found that Pincer checks to see if it’s being run in a virtual environment, which is a common trick designed to frustrate malware analysis tools used by security researchers.

Interestingly, F-Secure noted that the code within the trojan includes a class called “USSDDumbExtendedNetworkService” — a component that was assigned a seemingly arbitrary variable that F-Secure researchers said was probably either associated with a French Canadian concrete company or the Twitter handle of a young Russian whose Google+ page lists employment as “Android developer”.

I followed up with F-Secure about this post, and learned that the redacted portion of that post — the variable included in that first variant of the Pincer Trojan — was “senneco.com” (Virustotal’s analysis lists it as “com.senneco”). A quick search on Google turns up Twitter and Google+ accounts by this name belonging to a Yuri Shmakov from Novosibirsk, Russia. Shmakov’s Google+ page says he is a developer at Arello-Mobile, a mobile app development firm also in Novosibirsk.

Text string "senneco" inside of the Pincer Android Trojan.

Text string “senneco” inside an early sample of he Pincer Android Trojan. Source: F-Secure.

A scan of Shmakov’s accounts turned up the email address senneco@gmail.com. I sent an email to that address, explaining F-Secure’s findings and asking whether the recipient had anything to do with the Pincer Trojan. To my surprise, Shmakov promptly replied that, why yes he had indeed created it as a freelance project.

Shmakov told me that, based on the client’s specifications, he suspected it might ultimately be put to nefarious uses. Even so, he completed the job and signed his work by including his nickname in the app’s code.

“I was working on this app for some months, and I was hoping that it would be really helpful,” Shmakov wrote. “[The] idea of this app is that you can set it up as a spam filter…block some calls and SMS remotely, from a Web service. I hoped that this will be [some kind of] blacklist, with logging about blocked [messages/calls]. But of course, I understood that client [did] not really want this.”

Shmakov said the guy who hired him to write the Android application used the email address alexbort@hush.com. But Shmakov declined to say why he decided to take the job even though he understood that his creation would be used for malicious purposes.

“The most difficult task to understand and to implement was to intercept the USSD execution value without root access,” Shmakov continued, switching to Russian in a second, more academic reply via email. “The related algorithm was a rather complicated one. For example, should you not succeed in transmitting the intercepted SMS over the Internet, then add it to the queue; had it spent too much time in the queue, then send it by SMS, etc. That being said, this is not really relevant to our case.  By the way, it may indeed be worth creating such a service – the way I originally imagined it. Especially, having considered the fact that the mobile spam has finally taken over Russia.”

Whoever owns the address alexbort@hush.com did not respond to requests for comment. Update, Aug. 28, 8:55 a.m. ET: Heard from alexbort@hush.com, who was none too happy that I’d posted his email address. Alex wanted me to know that he was the one who really weaponized the Android application that Shmakov created.

“dear Brian., thank you for your email.The developer did not create the malware as his task was to create the legitimate application. having received the source codes i personally redesigned it into malware ( changed interface and added some features and tricks to it as well ). I am professional developer, but dont have sufficient experience in android applications development. P.S. i am very disappointed that you posted contact information in public, Now am receiving bulk spam emails on my email thank you very much for that.”

Original post:

It is extremely common to find malware and cybercrime jobs that are outsourced to freelancers. In their excellent 2011 paper, “Dirty Jobs: The Role of Freelance Labor in Web Service Abuse,” (PDF), researchers from The University of California, San Diego delved into how cybercriminals crowdsource Web abuse. Also, it’s not unusual to see on underground forums individuals hiring out services to design various components of malware operations, from back-end administrative panels to user interfaces for point-and-click malware creation tools. This was the case with the Styx Exploit Pack, although the designers of that crimeware kit clearly had more personal ties to the individuals who were selling the malware.

In the United States, writing malware is a protected form of free speech, but only up to a point. Prosecutors have gone after malware writers who seek to spread their creations or who have created malicious software with full knowledge of how it will be used.

This seems to also be the case in Russia, albeit in a case involving the theft of hundreds of millions of dollars. Earlier this year, authorities there sentenced to prison a number of programmers who were hired to create individual components of the Carberp banking Trojan.” According to an account of the law enforcement action in the Russian news outlet Kommersant, Carberp was coded by a team of about 20-25 people under the age of 30. Most of the men had never met face-to-face. Each worked remotely and was responsible for developing specific modules of the Carberp code, components that were then transmitted to a main development server in Odessa, Ukraine.


16 thoughts on “Who Wrote the Pincer Android Trojan?

  1. не пызды

    Absolute Nonsense . Anyone can create a Twitter , Google+ account with any name they like , i personally use Brians credentials to set up any new email accounts i need 🙂 But it doesn’t mean im the Brian Crebs . See where im going with this !!?? Email address this email address that where is the hard evidence Brian ? Maybe they should sue you zorry Asz for destroying his reputation or something ? I would 🙂

    P.s Cледствие видут колобки .

    1. oleg

      guess you forgot to read full story huh bro? guy krebs reached said he wrote it. krebs even includes interview with author. you serious think the guy made it all up?

      guess reading skillz not your strong point eh bro?

  2. не пызды

    and why is my post — awaiting moderation ?? what are you scared of brian ? the trues ? dont be scared brian we love you very much . trues will prevail anyway you like it or not . Bro .

    1. BrianKrebs Post author

      If your post was awaiting moderation is it because some previous post of yours was submitted over and over rapidly, or contained one more of the following: links to malware or spam sites; excessive coarse language; off-topic remarks; hateful or troll-like comments.

      Try to avoid submitting the same comment 100 times, and maybe your future comments won’t get flagged for moderation.

      1. William

        Incidentally, the “name” of the above person includes intentionally misspelled Russian profanity.

  3. Paul G.

    I’m curious: What does Pincer need USSD for? As far as I know, USSD codes are usually only used to offer network-internal services, e.g. balance inquiry.

    SMS and call interception are both features which Android apps can accomplish using publicly documented APIs; however, USSD requires the use of internal, undocumented APIs which even lead to the discovery of the original developer.

  4. mushinskiy

    ” But Shmakov declined to say why he decided to take the job even though he understood that his creation would be used for malicious purposes.”

    If you hungry poor student who live in Novosibirsk,provably you dont intrest the purposes of use )

  5. itguy47

    This isn’t on the topic of this particular post, but I don’t know of any more suitable place where I can ask a bunch of security-knowledgeable folks.

    One of our Vista boxes here just began incorrectly showing a prompt to install an update patch that is not a Windows Defender definitions update, even though it’s not a Patch Tuesday. Is it possible that malware authors have discovered a way to deliver phony “updates” to Windows boxes that they confuse for real updates from Microsoft? Or is this just some harmless* Windows Update hiccup?

    * Well, it wouldn’t have been if that machine had been configured to install it and reboot automatically. A sudden reboot in the middle of doing work on it would have been rather inconvenient. But then, that’s why it’s set to just notify about updates. That, and sometimes M$ updates can’t be trusted, as we saw with that bad patch a few months ago and with several patches they’ve issued whose sole purposes have been to add more “Windows Genuine Advantage” non-user-benefiting DRM crap — best case (with a non-pirate install) it does nothing, worst case it mis-detects your install as pirate due to a bug in the patch and you need to reactivate. And if there’s now malware masquerading as Windows Updates that’s yet another reason not to have updates install automatically.

      1. itguy47

        Doubt it’s that one, if that one only infects computers after you run IE and it checks for proxy settings. The browser being used on the affected machine is Firefox.

        1. Chris

          ITGuy47, I receive Windows Defender updates all the time from Windows Updates. As far as I know this is normal. If this is the only thing that concerns you it might be legit. Have you ran a malwarebytes scan? Check for open tcp connections? ect ect

  6. Mike

    He deserves to get a ton of spam emails after admitting to creating the malware.

  7. Michael Richards

    Brian,

    I was recently at a CPE conference at which Elaine Dodds of the Oklahoma Bankers Association spoke. She was addressing various security breaches and I inquired as to whether she was familiar with the “back door” included in Lenovo computers. I’m curious and concerned that because I work in the aerospace industry and China is essentially building a “737” clone.

    Michael Richards

Comments are closed.