Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Angry Birds Malware: Obey or Be Hacked

Ransomware has become one of the most notorious forms of malware, as it continually targets end-users, governments, and business organizations. For this reason, it has become very profitable for cybercriminals, who make revenues of millions of dollars. This is now a very serious threat to organizations with financial loss of billions of dollars.

Let’s take a look at how Wipelocker malware impacted individual users in the past, and how this can be used as a warning to businesses that they should always be on the lookout for new kinds of attacks.

What is Wipelocker Malware?

Wipelocker is a fake version of the game “Angry Birds Transformers” for Android. It is a ransomware trojan that impacts Android and is packaged as com.elite. The Wipelocker Trojan was not built to make money or steal sensitive, important information, and it does not ask a fee to unlock the device. This is unlike the similar Trojan “Simplocker”, which used social engineering in order to trick users into paying ransoms to unlock their devices.

In a nutshell, the main key features of the Wipelocker malware are:

  • It deletes all the files from the external storage
  • Sends SMS messages to the contacts of the user
  • “Locking” the screen with a picture so that the phone un-usable
  • Tries to get Administrator rights

How Does Wipelocker Malware Work?

The first thing the Trojan does is ask for administrator permission. The Trojan then deletes everything from the users’ memory card. When the user opens up a popular messenger app on the device the Trojan acts and locks the device with a picture “Obey or be hacked”. The Trojan then sends an SMS message to every contact in the users’ phone book every 5 seconds. The SMS message: “HEY!!! “[Name of contact]” Elite has hacked you. Obey or be hacked”. The Trojan also listens for incoming SMS messages and replies to them with the message: “Elite has hacked you. Obey or be hacked.”

 

Understand what it takes to detect and respond to targeted phishing attacks on Office 365 in real-time.

Read the Playbook

The Wipelocker Trojan is not created to make money or to steal sensitive information. It never asks for a ransom fee to unlock the device unlike the similar Trojan “Simplocker” and it does not send an SMS message to a premium number.

Installation of Wipelocker and Angry Birds Malware

The Trojan was available for download on third-party Android app stores under the name “Angry Bird Transformers”. The user was able to download the app but had to install it manually. Meaning that the user had to go to settings and allow installation of “Unknown sources” to be able to install the Trojan.

tl_files/assets_cyren/images/blog/20142810_img1.png

Once installed, the Android application asks for permission to RECEIVE_BOOT_COMPLETED when installed. The application adds the BOOT_COMPLETED receiver that notifies the Trojan after the phone has been rebooted and then starts the malicious services.

Angry Birds App in Disguise

The Trojan disguises itself as a new version of the popular game “Angry Birds”, “Angry Bird Transformers”. After the application is opened for the first time it asks for Administrator privileges.

tl_files/assets_cyren/images/blog/20142810_img2.pngtl_files/assets_cyren/images/blog/20142810_img3.png

After the user has granted the application administrator privileges the Trojan runs a method called “wipeMemoryCard()”. This method deletes every single file on the user’s SD card.

tl_files/assets_cyren/images/blog/20142810_img4.png

wipeMemoryCard() deletes every file on the external storage

After this is done the Trojan then sends multiple SMS messages to every single contact in the user’s phone book every 5 seconds. The message that the Trojan sends is HEY!!! “Name of contact” Elite has hacked you. Obey or be hacked” getString(2131230726) returns <string name=”msg”>Elite has hacked you.Obey or be hacked.</string>.

tl_files/assets_cyren/images/blog/20142810_img5.png

doInBackground()

doInBackground method creates the SMS message with the content. The method tries to send SMS message every 5 seconds (Thread.sleep(5000L)).

sendSMS uses the telephony receiver to send multipart text messages.

tl_files/assets_cyren/images/blog/20142810_img6.png

sendSMS()

“Elite Has Hacked You – Obey or Be Hacked”

After the user opens one of the following applications:

  • Google Hangouts (com.google.android.talk)
  • Facebook (com.facebook.katana)
  • WhatsApp (com.whatsapp)
  • Android Messenger (older version of android, com.android.mms)

The Trojan locks the screen with the “Obey or be hacked” picture.

tl_files/assets_cyren/images/blog/20142810_img7.png

getTopActivity()

tl_files/assets_cyren/images/blog/20142810_img8.png

Lockscreen picture

List of permissions the fake Angry Birds application requires:

  • android.permission.GET_TASKS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.READ_SMS
  • android.permission.WRITE_SMS
  • android.permission.READ_CONTACTS
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.WRITE_SETTINGS
  • android.permission.WAKE_LOCK
  • android.permission.BIND_DEVICE_ADMIN

Package name=”com.elite”

MD5: 4e2201cde26141715255d2421f0bcfb1

SHA256: f75678b7e7fa2ed0f0d2999800f2a6a66c717ef76b33a7432f1ca3435b4831e0

Final Thoughts: How To Avoid Future Malware Attacks

Malware like Wipelocker is unfortunately more common than you’d think. Anyone can be a victim and in order to avoid getting infected by this type of malware, make sure the setting to allow installation of “Unknown sources” is turned OFF on your device.

Ready to make sure your business is protected against malware, such as Wipelocker? Read more about state-of-the-art malware protection from Cyren.

 

Find out how to investigate targeted phishing incidents.

Read the Playbook

You might also like

What is Microsoft Office 365 Advanced Threat Protection?

Office 365 Advanced Threat Protection (also known as ATP and Defender) can provide your organization with advanced security features - keeping you protected from cybersecurity threats. With today's cybersecurity landscape, where new threats appear daily, if not...