New Android Lockscreen campaign spotted in the wild

June 16, 2016

Dell SonicWALL Threats Research Team got reports of a new wave of lockscreen malware spreading for Android. This lockscreen is spreading mainly via Porn related apps. We observed multiple groups of apps with subtle differences but the same functionality overall indicating this campaign is using multiple mediums to spread. Based on some of the components it appears that this campaign is still in its early stages and will evolve with time.

Infection Cycle

Upon installation the app requests for Device Administrator privileges. Permissions for dev admin ? On clicking the application or opening the System Settings app we see a screen as shown in the figure. This screen appears to be the ransom/lockscreen but the user can easily come out of this view by clicking the Home or Menu buttons.

Traditionally lockadult_screens cover the entire screen of the device and "lock" the users in a position where the device becomes unusable as the users cannot come out of the lockscreen view. In this campaign, at the moment the victim cannot view contents of the System Settings as the lockscreen is shown. It is interesting to note that there is no demand for ransom of any kind, also the fact that the victim can come out of this view gives an indication that this mechanism might not be completely implemented.

Once the application starts running, encoded data is transmitted to multiple domains in the background. The encoding routine is present in each application that is part of this campaign:

We observed data being sent to the following domains:


If an Android device gets infected with a malware with Device Administrator privileges it becomes difficult to remove it as the uninstall button gets greyed out. A good way to circumvent this issue is to get the device into Safe Mode and then remove it. Getting an Android device into Safe Mode disables the third party apps so it becomes easier to remove malware or any unwanted app. But some Android malware are persistent in Safe Mode as well, this malicious app is no different.

Once in Safe Mode the malicious app starts blocking the System Settings after a few moments as shown below:

The traditional way to remove an application does not work here as the System Settings app is unusable because of the lockscreen. An alternative is to disable the running app via Android Debug Bridge (adb):

  • Get into the device shell - adb shell
  • pm disable [ application package name ]
  • Get out of the shell and run - adb uninstall [ application package name ]

We observed a number of apps belonging to this campaign, most of the apps have a lot of similarities:

  • Display Icons
    Most of the apps belonging to this campaign use one of the following icons:
  • Services
    Most of the applications have a set of services ranging from 15-17 in number with the naming structure as follows:
    [ package_name ].[ random_word ]Service[ random_number ]

    We observed two sets of random words in most of the applications. Below table shows services from three applications:

  • Permissions requested during installation
    The applications request for the following permissions during installation:
    • Bluetooth
    • Bluetooth Admin
    • Internet
    • Write Contacts
    • Write Settings
    • Write History Bookmarks
    • Read Contacts
    • Restart Packages
    • Read Profile
    • Get Tasks
    • Read Call Log
    • Read History Bookmarks
    • Write External Storage
    • Access Fine Location
    • Receive Boot Completed
    • Read Phone State
    • Vibrate
    • System Alert Window
    • Kill Background Processes
    • Camera
    • Wake Lock
    • Access Coarse Updates
    • Process Outgoing Calls
    • Access Coarse Location
  • Code Structure
    Upon inspecting the code structure we found many applications contains a set of three class files with the encoding routine present in one of these classes as shown below:

    Interestingly, many applications contained an additional component with the addition of the above mentioned classes. This additional component is Chartboost SDK. Chartboost is a mobile game monetization platform which can be used to show video ads in games. Although, none of the apps actually do any activity other than showing the lockscreen image.

  • Lockscreen
    The lockscreen image is present in the assets folder for each malicious application from this campaign:

Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the "lock" state. At present, only the System Settings is unusable but apart from that other functionality is intact. Considering the volume of malicious apps that are part of this campaign it can be said that this campaign might grow bigger in the near future with updated components. We can expect a different lockscreen image in the future that demands ransom in some form.

Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:

  • GAV: AndroidOS.Ransomware.LK
  • GAV: AndroidOS.Ransomware.LK_2
  • GAV: AndroidOS.Ransomware.LK_3
  • GAV: AndroidOS.Ransomware.LK_4

Below are details about a small subset of samples from each group that we observed, the groups have been differentiated based on their icons:

Icon MD5 Package Name
2bc52bd05fcd98236b081a1ba5845454 com.wedlock.cellular
5aaa96d6ce97bc3f2b8ccc7e2b9fc259 content.constructing
e3883943ba264939038b529006abfdb9 content.pranks
d698a3f1d0e9c54cbd53ca2a02eee407 net.melodies.dehydrating
8a2680716b605f68478dd5f4f108aa0c org.undertones.ponder
de2d20d9adc97187e6a6e17fcb9c284a edu.undermanned
91bd903b23e87787a706455da2bdc178 com.jigs
6f2cf2bb1cd16f05185e4da7e67717f0 de.calmer
a9dd251bf780ed8c3560fd93ac6723d0 de.predefine.bullet
b41db3bb436e8522ecfe88e507f6ff7f edu.deductively.horseradish
fa31fed7d4ee5dd210a35e76c228ecc6 content.grandly
1232d4d8dd9ac5566d89c2e86f0a17c6 net.logarithmic.quarrelling
fdb5ee400746b708328e59f5be0630bd fl.uncritically.aspirant
a5a4be2f8d0169be1c5fa816d83a361b net.lobotomising
68851e90861ad8c0a9f025e88cc75e24 fl.undetectability.reissues
c454f79278e19fb62e5b3645ad2e6ec9 content.reinitialise.intuitively
a7648efd10036d45c057617da2141a3a com.adoringly.bracing
1c52a678a7281082625eb195419c0329 de.cleaving.carer
8fd53b0358d865c3994e077c861cc296 de.tans.wont
21b80741fce42c47f5633077e8d17921 de.clo
d1ba17fbba8df61e356b32ed19b4a8b3 content.signatory
0785361faab56ec46a86ac1494a6c56f org.affixes.sheepdog
850e4ae1af21873495a3f9d383a7a69a edu.kilowatt.filling