Android malware with hidden message for Security Analysts
In today's internet age malware as a threat has gained immense visibility and awareness about its dangers. Many companies have a budget allocated to safeguard their products and services against such threats. In an effort to thwart a fast spreading malware, it generally goes through static and dynamic inspection that may be automated or done manually by security researchers to understand it and provide remediation for the same.
Sometimes malware writers hide messages meant to be seen by researchers who dissect such malicious entities as these messages are only visible to prying eyes. Dell SonicWALL Threats Research team received reports of such a self-aware Android locker malware that winks at researchers with a message in the code.
The Android Package (apk) asks for following permissions during installation:
- System Alert Window
- Receive SMS
- Send SMS
- Receive boot completed
- Access network state
Upon installation once the app is started we see a lockscreen as below:
This lockscreen hinders the user from doing any activity on the device as the buttons and touch feedback do not perform any action, the only thing staring back at the user is the lockscreen. This is where malware writers usually demand for ransom, generally money, in exchange of liberating the device from the lockscreen.
In this case however we do not see any such demands, the message simply states that the device can be 'unlocked' if the right password is entered. As per the message on the lockscreen the trojan generates a serial number for every infected device (9476849 in our case).
Once the lockscreen sets in, an SMS is sent to 183[removed] in the background to indicate successful infection on a device. This is where the SMS Send and Receive permission is used by the app.
Lockscreen malware that display a ransom message covering the entire screen have been on the rise for both mobile devices as well as Windows machines, detailed analysis for some them can be seen on our blogs. But this malware for Android devices has a special message for security analysts who analyze it:
An Android application is made up of compiled Java code, in order to view the code and perform a static analysis of the application it has to be decompiled. This is a common practice used in Android malware analysis and the malware writers in this case have added a message for security analysts that try to decompile the application.
There have been trojans in the past that lock the device and encrypt all the files present on it in exchange of money as highlighted in one of our previous blogs. We did not see any such demands in this case and this trojan is essentially just a locker, it does not encrypt the files on the device. It wont be surprising if additional features are added to this trojan in the time to come.
Getting rid of the lockscreen is quiet easy in this case if one follows the steps listed below:
- Unlock Developer mode by going in Settings > About Phone > Build number - Tap it 7 times
- Enable USB debugging from Settings > Developer Options
- Connect the device to a machine that has Android SDK installed, we will be using Android Debug Bridge(ADB) which is a command line tool that can communicate with the device
- Double check that the device is connected and adb is able to talk with it by running - adb devices
- The list of devices attached should have your device serial number
- Once connected simply run - adb shell am force-stop qqkj.qqmagic
- Here we are force stopping everything associated with the app that has the specified package name
Overall this threat can be easily countered by force-stopping the app via adb and uninstalling it, additionally we did not observe any sensitive user information being transmitted back to the attacker thereby suggesting the low potency of this threat.
Dell SonicWALL provides protection against this threat via the following signatures:
- GAV: AndroidOS.SLocker.EG (Trojan)
- GAV: AndroidOS.SLocker.CN (Trojan)
- Package Name: qqkj.qqmagic
- MD5: 735b4e78b334f6b9eb19e700a4c30966