Persian Lockscreen Android malware borrows heavily from online tutorials (December 8, 2016)


Online tutorials are extremely helpful when it comes to understanding something specific, be it changing the oil in a car or figuring out why the network for a Linux server is not working. But at times an online tutorial can be used for nefarious purposes as described in this blog entry.

SonicWall Threats Research Team came across an Android Lockscreen malware with an adware component. The simplistic code gave an impression that this malware might be a test malware or something created as part of a learning experience. The reason for this simplistic code became clear after few Google searches of the code, but first let’s explore the malware’s behavior.

Infection Cycle

The malware requests for the following permissions:

  • Receive boot completed
  • System alert window
  • Vibrate
  • Internet
  • Access coarse location

This malware has the app name :@erfanandroid and package, clearly subtlety is not this author’s strong suit.

Upon running this app the entire screen is enveloped by a lockscreen with an image that is associated with Anonymous – the international network of activist and hacktivist entities. The victim is locked out from using the phone as pressing the navigation buttons do not help, nothing apart from the lockscreen shown below is visible:

In the background this malware runs a service called VirusService which ensures that the malware is constantly running.

One of the basic instincts of a victim post infection is to restart the device and to uninstall the malware. To ensure that the malware runs automatically whenever the phone starts, there is a receiver that listens to boot_completed broadcast signal. This receiver in turn activates the VirusService mentioned above thereby activating the malware as soon as the phone starts and locks out the user.

Adware component

The malware contains an additional adware component – Adad – a mobile advertisement network which operates in Persian speaking countries. Adad is advertised as the preferred advertising platform for Cafebazaar apps source. Cafebazaar in turn is a popular Iranian Google appstore.

We did not see any ads getting displayed on Bazaar or while using other apps, the adware component does not look to be fully implemented.

Coming back to the part about online tutorials, we did some online search with regards to this malware and we reached an unexpected place. We landed on a blog post which described how to create an Android lockscreen malware.

The simplistic code of this lockscreen malware can be explained by the fact that most of it was copied from the source material – this git repository. As we can see the codes are more or less the same. The only differences are in places where Persian code is inserted and the additional adware component that is part of this malware.

Based on these two factors we can say this malware is targeted to affect a specific region.

Knowledge itself is not evil, it can be used for good. But in the wrong hands it can be used in a very immoral way. The blog author most likely created the tutorial with good intentions, but it was sadly used in a wrong way.

SonicWALL provides protection against this threat via the following signatures:

  • AndroidOS.PersianLockscreen.VA (Trojan)
  • AndroidOS.PersianLockscreen.JV (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.