Wipelocker is a fake version of the game “Angry Birds Transformers” for Android. The first thing the Trojan does is ask for administrator permission. The Trojan then deletes everything from the users memory card. When the user opens up a popular messenger app on the device the Trojan acts and locks the device with a picture “Obey or be hacked”. The Trojan then sends an SMS message to every contact in the users phone book every 5 seconds. The SMS message: “HEY!!! “[Name of contact]” Elite has hacked you. Obey or be hacked". The Trojan also listens for incoming SMS messages and reply’s to them with the message: “Elite has hacked you. Obey or be hacked”
The Wipelocker Trojan is not created to make money or to steal sensitive information. It never asks for a ransom fee to unlock the device unlike the similar Trojan “Simplocker” and it does not send an SMS message to a premium number.
The Trojan was available for download on third party Android app stores under the name “Angry Bird Transformers”. The user is able to download the app but has to install it manually. Meaning that the user has to go to settings and allow installation of “Unknown sources” to be able to install the Trojan.
Once installed, the Android application asks for permission to RECEIVE_BOOT_COMPLETED when installed. The application adds the BOOT_COMPLETED receiver that notifies the Trojan after the phone has been rebooted and then starts the malicious services.
Angry Birds Disguise
The Trojan disguises itself as a new version of the popular game “Angry Birds”, “Angry Bird Transformers”. After the applications is opened for the first time it asks for Administrator privileges.
After the user has granted the application administrator privileges the Trojan runs a method called “wipeMemoryCard()”. This method deletes every single file on the user’s SD card.
wipeMemoryCard() deletes every file on the external storage
After this is done the Trojan then sends multiple SMS messages to every single contact in the user’s phone book every 5 seconds. The messages that the Trojan sends is HEY!!! “Name of contact” Elite has hacked you. Obey or be hacked" getString(2131230726) returns <string name="msg">Elite has hacked you.Obey or be hacked.</string>.
doInBackground method creates the SMS message with the content. The method tries to send SMS message every 5 seconds (Thread.sleep(5000L)).
sendSMS uses the telephony receiver to send multipart text message.
After the user opens one of the following applications:
- Google Hangouts (com.google.android.talk)
- Facebook (com.facebook.katana)
- WhatsApp (com.whatsapp)
- Android Messenger (older version of android, com.android.mms)
The Trojan locks the screen with the “Obey or be hacked” picture.
List of permission the application requers:
To avoid getting infected by this type of malware, make sure your setting to allow installation of “Unknown sources" is turned OFF.
Do you want to provide state-of-the-art protection against Android malware? Read more about Cyren Mobile Security