Sunday, 28 September 2014

Android WipeLocker - Obey or be hacked

"Elite has hacked you.Obey or be hacked"

That's the message that you will see after this malware infection,
in your Inbox.

Malware Name: WipeLocker (?)
Operating System (OS): Android
SHA256: F75678B7E7FA2ED0F0D2999800F2A6A66C717EF76B33A7432F1CA3435B4831E0

This blog post will be a brief analysis of this sample.

This new malware is distributed as a game (Angry Bird Transformers), a fake game.

Starting, this sample will create a new service that it will be used to "lock" the activity on top of any other activity when some specific applications are on top. Kinda like Simplocker was doing it but a bit more tricky. Then it asks for Administrator access to the device, in order to harden up a bit the un-installation process. The user will be fooled with the message "To ensure the correct installation of Angry Bird Transformers, you must press the \"ACTIVATE\" button below" in order to press activate and give administrator access to the app.

Next step is the execution of method wipeMemoryCard().
Here the app will list (listFiles()) all the folders and files and it will start deleting them.

Another "dirty little" feature of this malware is to send multiple SMS messages to the contacts of the user with the content "HEY!!! <contact_name> Elite has hacked you.Obey or be hacked".

At last it will "lock" the screen with the image that is in the beginning of this blog post. The tricky part is that the lock will be executed only when those four messaging applications are running and their activities are on top:

  • com.facebook.katana
  • com.whatsapp

In a nutshell, the main key features of this malware sample are:
  • Delete all the files from the external storage.
  • Send SMS messages to the contacts of the user.
  • "Lock" the screen with a picture making the phone un-usable
  • Tries to get Administrator rights.

No comments:

Post a Comment