Wipelocker: Obey or be hacked!

by MalwareSecurity Research & AnalysisThreat Analysis

Wipelocker is a fake version of the game “Angry Birds Transformers” for Android. The first thing the Trojan does is ask for administrator permission. The Trojan then deletes everything from the users memory card. When the user opens up a popular messenger app on the device the Trojan acts and locks the device with a picture “Obey or be hacked”. The Trojan then sends an SMS message to every contact in the users phone book every 5 seconds. The SMS message: “HEY!!! “[Name of contact]” Elite has hacked you. Obey or be hacked". The Trojan also listens for incoming SMS messages and reply’s to them with the message:  “Elite has hacked you. Obey or be hacked”

The Wipelocker Trojan is not created to make money or to steal sensitive information. It never asks for a ransom fee to unlock the device unlike the similar Trojan “Simplocker” and it does not send an SMS message to a premium number. 

 

Installation

The Trojan was available for download on third party Android app stores under the name “Angry Bird Transformers”. The user is able to download the app but has to install it manually. Meaning that the user has to go to settings and allow installation of “Unknown sources”  to be able to install the Trojan.

tl_files/assets_cyren/images/blog/20142810_img1.png

 

Once installed, the Android application asks for permission to RECEIVE_BOOT_COMPLETED when installed. The application adds the BOOT_COMPLETED receiver that notifies the Trojan after the phone has been rebooted and then starts the malicious services.  

Angry Birds Disguise

The Trojan disguises itself as a new version of the popular game “Angry Birds”, “Angry Bird Transformers”. After the applications is opened for the first time it asks for Administrator privileges.

tl_files/assets_cyren/images/blog/20142810_img2.pngtl_files/assets_cyren/images/blog/20142810_img3.png

After the user has granted the application administrator privileges the Trojan runs a method called “wipeMemoryCard()”. This method deletes every single file on the user’s SD card. 

tl_files/assets_cyren/images/blog/20142810_img4.png

wipeMemoryCard() deletes every file on the external storage

After this is done the Trojan then sends multiple SMS messages to every single contact in the user’s phone book every 5 seconds. The messages that the Trojan sends is HEY!!! “Name of contact” Elite has hacked you. Obey or be hacked" getString(2131230726) returns <string name="msg">Elite has hacked you.Obey or be hacked.</string>. 

tl_files/assets_cyren/images/blog/20142810_img5.png

doInBackground()

doInBackground method creates the SMS message with the content. The method tries to send SMS message every 5 seconds (Thread.sleep(5000L)). 

sendSMS uses the telephony receiver to send multipart text message. 

tl_files/assets_cyren/images/blog/20142810_img6.png

sendSMS()

After the user opens one of the following applications:

  • Google Hangouts (com.google.android.talk)
  • Facebook (com.facebook.katana)
  • WhatsApp (com.whatsapp)
  • Android Messenger (older version of android, com.android.mms)

The Trojan locks the screen with the “Obey or be hacked” picture.

tl_files/assets_cyren/images/blog/20142810_img7.png

getTopActivity()

tl_files/assets_cyren/images/blog/20142810_img8.png

Lockscreen picture

List of permission the application requers:

  • android.permission.GET_TASKS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.READ_SMS
  • android.permission.WRITE_SMS
  • android.permission.READ_CONTACTS
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.WRITE_SETTINGS
  • android.permission.WAKE_LOCK
  • android.permission.BIND_DEVICE_ADMIN

Package name="com.elite"

MD5: 4e2201cde26141715255d2421f0bcfb1

SHA256: f75678b7e7fa2ed0f0d2999800f2a6a66c717ef76b33a7432f1ca3435b4831e0

To avoid getting infected by this type of malware, make sure your setting to allow installation of “Unknown sources" is turned OFF. 

Do you want to provide state-of-the-art protection against Android malware? Read more about Cyren Mobile Security

Go back