Dr.Web virus library
Android.Pincer in virus library:
Android.Pincer is a family of malicious software running on Android mobile devices. The main purpose of this malware is to intercept incoming text messages and forward them to the violator.
If started by careless users, the Android.Pincer Trojans display a message about supposedly successful installation of a security certificate to the mobile device.
These malicious programs can be loaded with the operating system bootup as a background service. For this, the malware registers an appropriate system service.
After loading, Android.Pincer Trojans are connecting to a remote server, which address can differ for each version of the malware (for example, http://89.144.xx.xxx/gate/gate.php, https://img-xxxxx.com/android_panel/gate.php), and uploading the following information about the mobile device to the server:
- device model;
- device serial number;
- IMEI number;
- telecom operator name;
- mobile phone number;
- default system language;
- operation system version;
- root-access availability details.
Then these malicious programs are waiting for further instructions via SMS control messages of the “command: [command name]" structure. Cybercriminals may provide one of the following directives:
- start_sms_forwarding [phone number] – start intercepting messages from the specified phone number;
- stop_sms_forwarding – stop intercepting messages;
- send_sms [phone number and text] – send an SMS with the specified parameters;
- simple_execute_ussd – perform a USSD-request;
- stop_program – stop working;
- show_message – display a message on the mobile device screen;
- set_urls – change address of the C&C server;
- ping – send an SMS with text “pong” to the phone number specified earlier;
- set_sms_number – change the phone number to which the “pong” text is sent.
Android.Pincer Trojans send contents of intercepted text messages to the C&C server while also providing subscriber’s name and phone number for each SMS.
For Microsoft Windows OS:
- If the operating system (OS) can be loaded (either normally or in safe mode), download the curing utility Dr.Web CureIt! and run a full scan of your computer and the removable media you use.
- If you can't load the OS, change the BIOS settings to load your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk or the Dr.Web® LiveDisk recording utility onto a USB drive and prepare the relevant media. After booting up with this media, run a full scan and cure whatever threats have been detected.
- If your OS has been locked by malware from the Trojan.Winlock family, use our unlocking service. If you failed to find the unlock code, follow the instructions provided in Section 2.
- On the loaded OS, run a full scan of all disk partitions using the Dr.Web Anti-virus for Linux.
For Mac OS X:
Run a full system scan using the free Dr.Web Light Scanner for Mac OS X. You can download it from the Apple App Store.
- If the mobile device is operating normally, download and install the free anti-virus Dr.Web for Android Light. Perform a full system scan and carry out the recommendations for removing any detected threats.
- If the mobile device has been locked by Android.Locker ransomware (the screen will be telling you that you have broken some law or demanding a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
- Start your smart phone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device or contact its manufacturer);
- Once you have activated safe mode, install the free anti-virus Dr.Web for Android Light onto the infected handheld and perform a full scan of the system; follow the steps recommended for neutralising the threats that have been detected;
- Switch off your device and turn it on as normal.