New Android Lockscreen campaign spotted in the wild

June 16, 2016

Dell SonicWALL Threats Research Team got reports of a new wave of lockscreen malware spreading for Android. This lockscreen is spreading mainly via Porn related apps. We observed multiple groups of apps with subtle differences but the same functionality overall indicating this campaign is using multiple mediums to spread. Based on some of the components it appears that this campaign is still in its early stages and will evolve with time.

Infection Cycle

Upon installation the app requests for Device Administrator privileges. Permissions for dev admin ? On clicking the application or opening the System Settings app we see a screen as shown in the figure. This screen appears to be the ransom/lockscreen but the user can easily come out of this view by clicking the Home or Menu buttons.

Traditionally lockadult_screens cover the entire screen of the device and "lock" the users in a position where the device becomes unusable as the users cannot come out of the lockscreen view. In this campaign, at the moment the victim cannot view contents of the System Settings as the lockscreen is shown. It is interesting to note that there is no demand for ransom of any kind, also the fact that the victim can come out of this view gives an indication that this mechanism might not be completely implemented.

Once the application starts running, encoded data is transmitted to multiple domains in the background. The encoding routine is present in each application that is part of this campaign:

We observed data being sent to the following domains:

routstreetcars.com
highlevelzend.com
girlszendarno.com
artflowerstreet.net
raspberryfog.net

If an Android device gets infected with a malware with Device Administrator privileges it becomes difficult to remove it as the uninstall button gets greyed out. A good way to circumvent this issue is to get the device into Safe Mode and then remove it. Getting an Android device into Safe Mode disables the third party apps so it becomes easier to remove malware or any unwanted app. But some Android malware are persistent in Safe Mode as well, this malicious app is no different.

Once in Safe Mode the malicious app starts blocking the System Settings after a few moments as shown below:

The traditional way to remove an application does not work here as the System Settings app is unusable because of the lockscreen. An alternative is to disable the running app via Android Debug Bridge (adb):

Get into the device shell - adb shell
pm disable [ application package name ]
Get out of the shell and run - adb uninstall [ application package name ]

We observed a number of apps belonging to this campaign, most of the apps have a lot of similarities:

Display Icons
Most of the apps belonging to this campaign use one of the following icons:
Services
Most of the applications have a set of services ranging from 15-17 in number with the naming structure as follows:
[ package_name ].[ random_word ]Service[ random_number ]
We observed two sets of random words in most of the applications. Below table shows services from three applications:
Permissions requested during installation
The applications request for the following permissions during installation:
- Bluetooth
- Bluetooth Admin
- Internet
- Write Contacts
- Write Settings
- Write History Bookmarks
- Read Contacts
- Restart Packages
- Read Profile
- Get Tasks
- Read Call Log
- Read History Bookmarks
- Write External Storage
- Access Fine Location
- Receive Boot Completed
- Read Phone State
- Vibrate
- System Alert Window
- Kill Background Processes
- Camera
- Wake Lock
- Access Coarse Updates
- Process Outgoing Calls
- Access Coarse Location
Code Structure
Upon inspecting the code structure we found many applications contains a set of three class files with the encoding routine present in one of these classes as shown below:
Interestingly, many applications contained an additional component with the addition of the above mentioned classes. This additional component is Chartboost SDK. Chartboost is a mobile game monetization platform which can be used to show video ads in games. Although, none of the apps actually do any activity other than showing the lockscreen image.
Lockscreen
The lockscreen image is present in the assets folder for each malicious application from this campaign:

Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the "lock" state. At present, only the System Settings is unusable but apart from that other functionality is intact. Considering the volume of malicious apps that are part of this campaign it can be said that this campaign might grow bigger in the near future with updated components. We can expect a different lockscreen image in the future that demands ransom in some form.

Dell SonicWALL provides protection against multiple versions of this threat via the following signatures:

GAV: AndroidOS.Ransomware.LK

GAV: AndroidOS.Ransomware.LK_2

GAV: AndroidOS.Ransomware.LK_3

GAV: AndroidOS.Ransomware.LK_4

Below are details about a small subset of samples from each group that we observed, the groups have been differentiated based on their icons:

Icon MD5 Package Name

2bc52bd05fcd98236b081a1ba5845454 com.wedlock.cellular

5aaa96d6ce97bc3f2b8ccc7e2b9fc259 content.constructing

e3883943ba264939038b529006abfdb9 content.pranks

d698a3f1d0e9c54cbd53ca2a02eee407 net.melodies.dehydrating

8a2680716b605f68478dd5f4f108aa0c org.undertones.ponder

de2d20d9adc97187e6a6e17fcb9c284a edu.undermanned

91bd903b23e87787a706455da2bdc178 com.jigs

6f2cf2bb1cd16f05185e4da7e67717f0 de.calmer

a9dd251bf780ed8c3560fd93ac6723d0 de.predefine.bullet

b41db3bb436e8522ecfe88e507f6ff7f edu.deductively.horseradish

fa31fed7d4ee5dd210a35e76c228ecc6 content.grandly

9d3feccff2a9f1cb4efede56095821a9 com.borrower.boutique

1232d4d8dd9ac5566d89c2e86f0a17c6 net.logarithmic.quarrelling

fdb5ee400746b708328e59f5be0630bd fl.uncritically.aspirant

a5a4be2f8d0169be1c5fa816d83a361b net.lobotomising

68851e90861ad8c0a9f025e88cc75e24 fl.undetectability.reissues

c454f79278e19fb62e5b3645ad2e6ec9 content.reinitialise.intuitively

a7648efd10036d45c057617da2141a3a com.adoringly.bracing

1c52a678a7281082625eb195419c0329 de.cleaving.carer

8fd53b0358d865c3994e077c861cc296 de.tans.wont

21b80741fce42c47f5633077e8d17921 de.clo
wn.pointedly

d1ba17fbba8df61e356b32ed19b4a8b3 content.signatory

0785361faab56ec46a86ac1494a6c56f org.affixes.sheepdog

850e4ae1af21873495a3f9d383a7a69a edu.kilowatt.filling

Icon	MD5	Package Name
	2bc52bd05fcd98236b081a1ba5845454	com.wedlock.cellular
	5aaa96d6ce97bc3f2b8ccc7e2b9fc259	content.constructing
	e3883943ba264939038b529006abfdb9	content.pranks
	d698a3f1d0e9c54cbd53ca2a02eee407	net.melodies.dehydrating
	8a2680716b605f68478dd5f4f108aa0c	org.undertones.ponder

	de2d20d9adc97187e6a6e17fcb9c284a	edu.undermanned
	91bd903b23e87787a706455da2bdc178	com.jigs
	6f2cf2bb1cd16f05185e4da7e67717f0	de.calmer
	a9dd251bf780ed8c3560fd93ac6723d0	de.predefine.bullet
	b41db3bb436e8522ecfe88e507f6ff7f	edu.deductively.horseradish

	fa31fed7d4ee5dd210a35e76c228ecc6	content.grandly
	9d3feccff2a9f1cb4efede56095821a9	com.borrower.boutique
	1232d4d8dd9ac5566d89c2e86f0a17c6	net.logarithmic.quarrelling
	fdb5ee400746b708328e59f5be0630bd	fl.uncritically.aspirant

	a5a4be2f8d0169be1c5fa816d83a361b	net.lobotomising
	68851e90861ad8c0a9f025e88cc75e24	fl.undetectability.reissues
	c454f79278e19fb62e5b3645ad2e6ec9	content.reinitialise.intuitively
	a7648efd10036d45c057617da2141a3a	com.adoringly.bracing
	1c52a678a7281082625eb195419c0329	de.cleaving.carer

	8fd53b0358d865c3994e077c861cc296	de.tans.wont
	21b80741fce42c47f5633077e8d17921	de.clo wn.pointedly
	d1ba17fbba8df61e356b32ed19b4a8b3	content.signatory
	0785361faab56ec46a86ac1494a6c56f	org.affixes.sheepdog
	850e4ae1af21873495a3f9d383a7a69a	edu.kilowatt.filling