Persian Lockscreen Android malware borrows heavily from online tutorials
Online tutorials are extremely helpful when it comes to understanding something specific, be it changing the oil in a car or figuring out why the network for a Linux server is not working. But at times an online tutorial can be used for nefarious purposes as described in this blog entry.
SonicWall Threats Research Team came across an Android Lockscreen malware with an adware component. The simplistic code gave an impression that this malware might be a test malware or something created as part of a learning experience. The reason for this simplistic code became clear after few Google searches of the code, but first let's explore the malware's behavior.
The malware requests for the following permissions:
- Receive boot completed
- System alert window
- Access coarse location
This malware has the app name :@erfanandroid and package name:virus.mobile.com, clearly subtlety is not this author's strong suit.
Upon running this app the entire screen is enveloped by a lockscreen with an image that is associated with Anonymous - the international network of activist and hacktivist entities. The victim is locked out from using the phone as pressing the navigation buttons do not help, nothing apart from the lockscreen shown below is visible:
In the background this malware runs a service called VirusService which ensures that the malware is constantly running.
One of the basic instincts of a victim post infection is to restart the device and to uninstall the malware. To ensure that the malware runs automatically whenever the phone starts, there is a receiver that listens to boot_completed broadcast signal. This receiver in turn activates the VirusService mentioned above thereby activating the malware as soon as the phone starts and locks out the user.
The malware contains an additional adware component - Adad - a mobile advertisement network which operates in Persian speaking countries. Adad is advertised as the preferred advertising platform for Cafebazaar apps source. Cafebazaar in turn is a popular Iranian Google appstore.
We did not see any ads getting displayed on Bazaar or while using other apps, the adware component does not look to be fully implemented.
Coming back to the part about online tutorials, we did some online search with regards to this malware and we reached an unexpected place. We landed on a blog post which described how to create an Android lockscreen malware.
The simplistic code of this lockscreen malware can be explained by the fact that most of it was copied from the source material - this git repository. As we can see the codes are more or less the same. The only differences are in places where Persian code is inserted and the additional adware component that is part of this malware.
Based on these two factors we can say this malware is targeted to affect a specific region.
Knowledge itself is not evil, it can be used for good. But in the wrong hands it can be used in a very immoral way. The blog author most likely created the tutorial with good intentions, but it was sadly used in a wrong way.
SonicWALL provides protection against this threat via the following signatures:
- AndroidOS.PersianLockscreen.VA (Trojan)
- AndroidOS.PersianLockscreen.JV (Trojan)