New Android Lockscreen campaign spotted in the wild (May 12, 2016)

By

Dell SonicWALL Threats Research Team got reports of a new wave of lockscreen malware spreading for Android. This lockscreen is spreading mainly via Porn related apps. We observed multiple groups of apps with subtle differences but the same functionality overall indicating this campaign is using multiple mediums to spread. Based on some of the components it appears that this campaign is still in its early stages and will evolve with time.

Infection Cycle

Upon installation the app requests for Device Administrator privileges. Permissions for dev admin ? On clicking the application or opening the System Settings app we see a screen as shown in the figure. This screen appears to be the ransom/lockscreen but the user can easily come out of this view by clicking the Home or Menu buttons.

Traditionally lockadult_screens cover the entire screen of the device and “lock” the users in a position where the device becomes unusable as the users cannot come out of the lockscreen view. In this campaign, at the moment the victim cannot view contents of the System Settings as the lockscreen is shown. It is interesting to note that there is no demand for ransom of any kind, also the fact that the victim can come out of this view gives an indication that this mechanism might not be completely implemented.

Once the application starts running, encoded data is transmitted to multiple domains in the background. The encoding routine is present in each application that is part of this campaign:

We observed data being sent to the following domains:

  • routstreetcars.com
  • highlevelzend.com
  • girlszendarno.com
  • artflowerstreet.net
  • raspberryfog.net

If an Android device gets infected with a malware with Device Administrator privileges it becomes difficult to remove it as the uninstall button gets greyed out. A good way to circumvent this issue is to get the device into Safe Mode and then remove it. Getting an Android device into Safe Mode disables the third party apps so it becomes easier to remove malware or any unwanted app. But some Android malware are persistent in Safe Mode as well, this malicious app is no different.

Once in Safe Mode the malicious app starts blocking the System Settings after a few moments as shown below:

The traditional way to remove an application does not work here as the System Settings app is unusable because of the lockscreen. An alternative is to disable the running app via Android Debug Bridge (adb):

  • Get into the device shell – adb shell
  • pm disable [ application package name ]
  • Get out of the shell and run – adb uninstall [ application package name ]

We observed a number of apps belonging to this campaign, most of the apps have a lot of similarities:

  • Display Icons
    Most of the apps belonging to this campaign use one of the following icons:
  • Services
    Most of the applications have a set of services ranging from 15-17 in number with the naming structure as follows:
    [ package_name ].[ random_word ]Service[ random_number ]

    We observed two sets of random words in most of the applications. Below table shows services from three applications:

  • Permissions requested during installation
    The applications request for the following permissions during installation:
    • Bluetooth
    • Bluetooth Admin
    • Internet
    • Write Contacts
    • Write Settings
    • Write History Bookmarks
    • Read Contacts
    • Restart Packages
    • Read Profile
    • Get Tasks
    • Read Call Log
    • Read History Bookmarks
    • Write External Storage
    • Access Fine Location
    • Receive Boot Completed
    • Read Phone State
    • Vibrate
    • System Alert Window
    • Kill Background Processes
    • Camera
    • Wake Lock
    • Access Coarse Updates
    • Process Outgoing Calls
    • Access Coarse Location
  • Code Structure
    Upon inspecting the code structure we found many applications contains a set of three class files with the encoding routine present in one of these classes as shown below:

    Interestingly, many applications contained an additional component with the addition of the above mentioned classes. This additional component is Chartboost SDK. Chartboost is a mobile game monetization platform which can be used to show video ads in games. Although, none of the apps actually do any activity other than showing the lockscreen image.

  • Lockscreen
    The lockscreen image is present in the assets folder for each malicious application from this campaign:

Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the “lock” state. At present, only the System Settings is unusable but apart from that other functionality is intact. Considering the volume of malicious apps that are part of this campaign it can be said that this campaign might grow bigger in the near future with updated components. We can expect a different lockscreen image in the future that demands ransom in some form.

Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:

  • GAV: AndroidOS.Ransomware.LK
  • GAV: AndroidOS.Ransomware.LK_2
  • GAV: AndroidOS.Ransomware.LK_3
  • GAV: AndroidOS.Ransomware.LK_4

Below are details about a small subset of samples from each group that we observed, the groups have been differentiated based on their icons:

IconMD5Package Name
2bc52bd05fcd98236b081a1ba5845454com.wedlock.cellular
5aaa96d6ce97bc3f2b8ccc7e2b9fc259content.constructing
e3883943ba264939038b529006abfdb9content.pranks
d698a3f1d0e9c54cbd53ca2a02eee407net.melodies.dehydrating
8a2680716b605f68478dd5f4f108aa0corg.undertones.ponder
de2d20d9adc97187e6a6e17fcb9c284aedu.undermanned
91bd903b23e87787a706455da2bdc178com.jigs
6f2cf2bb1cd16f05185e4da7e67717f0de.calmer
a9dd251bf780ed8c3560fd93ac6723d0de.predefine.bullet
b41db3bb436e8522ecfe88e507f6ff7fedu.deductively.horseradish
fa31fed7d4ee5dd210a35e76c228ecc6content.grandly
9d3feccff2a9f1cb4efede56095821a9com.borrower.boutique
1232d4d8dd9ac5566d89c2e86f0a17c6net.logarithmic.quarrelling
fdb5ee400746b708328e59f5be0630bdfl.uncritically.aspirant
a5a4be2f8d0169be1c5fa816d83a361bnet.lobotomising
68851e90861ad8c0a9f025e88cc75e24fl.undetectability.reissues
c454f79278e19fb62e5b3645ad2e6ec9content.reinitialise.intuitively
a7648efd10036d45c057617da2141a3acom.adoringly.bracing
1c52a678a7281082625eb195419c0329de.cleaving.carer
8fd53b0358d865c3994e077c861cc296de.tans.wont
21b80741fce42c47f5633077e8d17921de.clo
wn.pointedly
d1ba17fbba8df61e356b32ed19b4a8b3content.signatory
0785361faab56ec46a86ac1494a6c56forg.affixes.sheepdog
850e4ae1af21873495a3f9d383a7a69aedu.kilowatt.filling

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.