Select Page

Cyren Security Blog

Wipelocker Malware: Obey or Be Hacked

Ransomware has become one of the most notorious forms of malware, as it continually targets end-users, governments, and business organizations. For this reason, it has become very profitable for cybercriminals, who make revenues of millions of dollars. This is now a very serious threat to organizations with financial loss of billions of dollars.

Let’s take a look at how Wipelocker impacted individual users in the past, and how this can be used as a warning to businesses that they should always be on the lookout for new kinds of attacks.

What is Wipelocker?

Wipelocker is a fake version of the game “Angry Birds Transformers” for Android. It is a ransomware trojan that impacts Android and is packaged as com.elite. The Wipelocker Trojan was not built in order to make money or steal sensitive, important information, and it does not ask a fee to unlock the device. This is unlike the similar Trojan “Simplocker”, which used social engineering in order to trick users into paying ransoms to unlock their devices.

In a nutshell, the main key features of the Wipelocker malware are:

  • It deletes all the files from the external storage
  • Sends SMS messages to the contacts of the user
  • “Locking” the screen with a picture so that the phone un-usable
  • Tries to get Administrator rights

How Does Wipelocker Work?

The first thing the Trojan does is ask for administrator permission. The Trojan then deletes everything from the users’ memory card. When the user opens up a popular messenger app on the device the Trojan acts and locks the device with a picture “Obey or be hacked”. The Trojan then sends an SMS message to every contact in the users’ phone book every 5 seconds. The SMS message: “HEY!!! “[Name of contact]” Elite has hacked you. Obey or be hacked”. The Trojan also listens for incoming SMS messages and reply’s to them with the message: “Elite has hacked you. Obey or be hacked”

The Wipelocker Trojan is not created to make money or to steal sensitive information. It never asks for a ransom fee to unlock the device unlike the similar Trojan “Simplocker” and it does not send an SMS message to a premium number.

Installation of Wipelocker

The Trojan was available for download on third-party Android app stores under the name “Angry Bird Transformers”. The user is able to download the app but has to install it manually. Meaning that the user has to go to settings and allow installation of “Unknown sources” to be able to install the Trojan.


Once installed, the Android application asks for permission to RECEIVE_BOOT_COMPLETED when installed. The application adds the BOOT_COMPLETED receiver that notifies the Trojan after the phone has been rebooted and then starts the malicious services.

Angry Birds Disguise

The Trojan disguises itself as a new version of the popular game “Angry Birds”, “Angry Bird Transformers”. After the application is opened for the first time it asks for Administrator privileges.


After the user has granted the application administrator privileges the Trojan runs a method called “wipeMemoryCard()”. This method deletes every single file on the user’s SD card.


wipeMemoryCard() deletes every file on the external storage

After this is done the Trojan then sends multiple SMS messages to every single contact in the user’s phone book every 5 seconds. The message that the Trojan sends is HEY!!! “Name of contact” Elite has hacked you. Obey or be hacked” getString(2131230726) returns <string name=”msg”>Elite has hacked you.Obey or be hacked.</string>.



doInBackground method creates the SMS message with the content. The method tries to send SMS message every 5 seconds (Thread.sleep(5000L)).

sendSMS uses the telephony receiver to send multipart text messages.



“Elite Has Hacked You – Obey or Be Hacked”

After the user opens one of the following applications:

  • Google Hangouts (
  • Facebook (com.facebook.katana)
  • WhatsApp (com.whatsapp)
  • Android Messenger (older version of android,

The Trojan locks the screen with the “Obey or be hacked” picture.




Lockscreen picture

List of permission the application requers:

  • android.permission.GET_TASKS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.READ_SMS
  • android.permission.WRITE_SMS
  • android.permission.READ_CONTACTS
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.WRITE_SETTINGS
  • android.permission.WAKE_LOCK
  • android.permission.BIND_DEVICE_ADMIN

Package name=”com.elite”

MD5: 4e2201cde26141715255d2421f0bcfb1

SHA256: f75678b7e7fa2ed0f0d2999800f2a6a66c717ef76b33a7432f1ca3435b4831e0

How To Avoid Future Attacks

To avoid getting infected by this type of malware, make sure your setting to allow installation of “Unknown sources” is turned OFF.

Final Thoughts

Do you want to make sure your business utilizes state-of-the-art protection against Android malware, such as Wipelocker? Read more about Cyren Mobile Security

You might also like