New Android Lockscreen campaign spotted in the wild (May 12, 2016)

Dell SonicWALL Threats Research Team got reports of a new wave of lockscreen malware spreading for Android. This lockscreen is spreading mainly via Porn related apps. We observed multiple groups of apps with subtle differences but the same functionality overall indicating this campaign is using multiple mediums to spread. Based on some of the components it appears that this campaign is still in its early stages and will evolve with time.

Infection Cycle

Upon installation the app requests for Device Administrator privileges. Permissions for dev admin ? On clicking the application or opening the System Settings app we see a screen as shown in the figure. This screen appears to be the ransom/lockscreen but the user can easily come out of this view by clicking the Home or Menu buttons.

Traditionally lockadult_screens cover the entire screen of the device and "lock" the users in a position where the device becomes unusable as the users cannot come out of the lockscreen view. In this campaign, at the moment the victim cannot view contents of the System Settings as the lockscreen is shown. It is interesting to note that there is no demand for ransom of any kind, also the fact that the victim can come out of this view gives an indication that this mechanism might not be completely implemented.

Once the application starts running, encoded data is transmitted to multiple domains in the background. The encoding routine is present in each application that is part of this campaign:

We observed data being sent to the following domains:

• routstreetcars.com
• highlevelzend.com
• girlszendarno.com
• artflowerstreet.net
• raspberryfog.net

If an Android device gets infected with a malware with Device Administrator privileges it becomes difficult to remove it as the uninstall button gets greyed out. A good way to circumvent this issue is to get the device into Safe Mode and then remove it. Getting an Android device into Safe Mode disables the third party apps so it becomes easier to remove malware or any unwanted app. But some Android malware are persistent in Safe Mode as well, this malicious app is no different.

Once in Safe Mode the malicious app starts blocking the System Settings after a few moments as shown below:

The traditional way to remove an application does not work here as the System Settings app is unusable because of the lockscreen. An alternative is to disable the running app via Android Debug Bridge (adb):

• Get into the device shell - adb shell
• pm disable [ application package name ]
• Get out of the shell and run - adb uninstall [ application package name ]

We observed a number of apps belonging to this campaign, most of the apps have a lot of similarities:

• Display Icons
  Most of the apps belonging to this campaign use one of the following icons:
• Services
  Most of the applications have a set of services ranging from 15-17 in number with the naming structure as follows:
  [ package_name ].[ random_word ]Service[ random_number ]

  We observed two sets of random words in most of the applications. Below table shows services from three applications:

• Permissions requested during installation
  The applications request for the following permissions during installation:
  • Bluetooth
  • Bluetooth Admin
  • Internet
  • Write Contacts
  • Write Settings
  • Write History Bookmarks
  • Read Contacts
  • Restart Packages
  • Read Profile
  • Get Tasks
  • Read Call Log
  • Read History Bookmarks
  • Write External Storage
  • Access Fine Location
  • Receive Boot Completed
  • Read Phone State
  • Vibrate
  • System Alert Window
  • Kill Background Processes
  • Camera
  • Wake Lock
  • Access Coarse Updates
  • Process Outgoing Calls
  • Access Coarse Location
• Code Structure
  Upon inspecting the code structure we found many applications contains a set of three class files with the encoding routine present in one of these classes as shown below:

  Interestingly, many applications contained an additional component with the addition of the above mentioned classes. This additional component is Chartboost SDK. Chartboost is a mobile game monetization platform which can be used to show video ads in games. Although, none of the apps actually do any activity other than showing the lockscreen image.

• Lockscreen
  The lockscreen image is present in the assets folder for each malicious application from this campaign:

Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the "lock" state. At present, only the System Settings is unusable but apart from that other functionality is intact. Considering the volume of malicious apps that are part of this campaign it can be said that this campaign might grow bigger in the near future with updated components. We can expect a different lockscreen image in the future that demands ransom in some form.

Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:

• GAV: AndroidOS.Ransomware.LK
• GAV: AndroidOS.Ransomware.LK_2
• GAV: AndroidOS.Ransomware.LK_3
• GAV: AndroidOS.Ransomware.LK_4

Below are details about a small subset of samples from each group that we observed, the groups have been differentiated based on their icons: