Ransomware has become one of the most notorious forms of malware, as it continually targets end-users, governments, and business organizations. For this reason, it has become very profitable for cybercriminals, who make revenues of millions of dollars. This is now a very serious threat to organizations with financial loss of billions of dollars.
Let’s take a look at how Wipelocker impacted individual users in the past, and how this can be used as a warning to businesses that they should always be on the lookout for new kinds of attacks.
What is Wipelocker?
Wipelocker is a fake version of the game “Angry Birds Transformers” for Android. It is a ransomware trojan that impacts Android and is packaged as com.elite. The Wipelocker Trojan was not built in order to make money or steal sensitive, important information, and it does not ask a fee to unlock the device. This is unlike the similar Trojan "Simplocker", which used social engineering in order to trick users into paying ransoms to unlock their devices.
In a nutshell, the main key features of the Wipelocker malware are:
- It deletes all the files from the external storage
- Sends SMS messages to the contacts of the user
- "Locking" the screen with a picture so that the phone un-usable
- Tries to get Administrator rights
How Does Wipelocker Work?
The first thing the Trojan does is ask for administrator permission. The Trojan then deletes everything from the users' memory card. When the user opens up a popular messenger app on the device the Trojan acts and locks the device with a picture “Obey or be hacked”. The Trojan then sends an SMS message to every contact in the users' phone book every 5 seconds. The SMS message: “HEY!!! “[Name of contact]” Elite has hacked you. Obey or be hacked". The Trojan also listens for incoming SMS messages and reply’s to them with the message: “Elite has hacked you. Obey or be hacked”
The Wipelocker Trojan is not created to make money or to steal sensitive information. It never asks for a ransom fee to unlock the device unlike the similar Trojan “Simplocker” and it does not send an SMS message to a premium number.
Installation of Wipelocker
The Trojan was available for download on third-party Android app stores under the name “Angry Bird Transformers”. The user is able to download the app but has to install it manually. Meaning that the user has to go to settings and allow installation of “Unknown sources” to be able to install the Trojan.
Once installed, the Android application asks for permission to RECEIVE_BOOT_COMPLETED when installed. The application adds the BOOT_COMPLETED receiver that notifies the Trojan after the phone has been rebooted and then starts the malicious services.
Angry Birds Disguise
The Trojan disguises itself as a new version of the popular game “Angry Birds”, “Angry Bird Transformers”. After the application is opened for the first time it asks for Administrator privileges.
After the user has granted the application administrator privileges the Trojan runs a method called “wipeMemoryCard()”. This method deletes every single file on the user’s SD card.
wipeMemoryCard() deletes every file on the external storage
After this is done the Trojan then sends multiple SMS messages to every single contact in the user’s phone book every 5 seconds. The message that the Trojan sends is HEY!!! “Name of contact” Elite has hacked you. Obey or be hacked" getString(2131230726) returns <string name="msg">Elite has hacked you.Obey or be hacked.</string>.
doInBackground method creates the SMS message with the content. The method tries to send SMS message every 5 seconds (Thread.sleep(5000L)).
sendSMS uses the telephony receiver to send multipart text messages.
“Elite Has Hacked You - Obey or Be Hacked”
After the user opens one of the following applications:
- Google Hangouts (com.google.android.talk)
- Facebook (com.facebook.katana)
- WhatsApp (com.whatsapp)
- Android Messenger (older version of android, com.android.mms)
The Trojan locks the screen with the “Obey or be hacked” picture.
List of permission the application requers:
How To Avoid Future Attacks
To avoid getting infected by this type of malware, make sure your setting to allow installation of “Unknown sources" is turned OFF.
Do you want to make sure your business utilizes state-of-the-art protection against Android malware, such as Wipelocker? Read more about Cyren Mobile Security