WipeLocker
Summary
Details
WipeLocker is a malware discovered in September 2014. Its purpose is to wipe off the SD card and block certain social apps while displaying a hacking message. It also sends SMS messages to victim’s contacts. The malware presents itself as a fake Angry Bird Transformers game.
Once the application is launched, the main activity performs three actions.
Stage 1: Starting the malicious service
The application first starts the service IntentServiceClass. Note that this service can also be started by a BOOT_COMPLETED receiver named BootReceiver. The purpose of this service is to schedule the execution of MyServices.getTopActivity() every 0.5 seconds and MyServices.Async_sendSMS() every 5 seconds.
getTopActivity() is a function that checks the current foreground activity and if it is the SMS/MMS Android app, Facebook, Hangouts or WhatsApp, it displays a fullscreen image “Obey or Be Hacked” on the screen making impossible to use those apps.
Async_sendSMS() is an AsyncTask that sends a text message to all the victim’s contacts. It will spam the message “HEY!!! <contact_name> Elite has hacked you.Obey or be hacked” every 5 seconds.
Stage 2: Activating the device administration features
The second action of the malware is to ask the user to activate the device administration features of the app. If the user declines, the app will ask again, over and over, until the user accepts to do so. Administration features allow an application to perform sensitive operations such as wiping the device content or enforcing a password security policy. The file res/xml/device_admin_sample.xml lists the operations the application wishes to handle. The content of this file is however empty, which means that the application will not handle any sensitive operations. In fact, the only purpose of this stage is to make the app much harder to uninstall because device administrators cannot be uninstalled like normal apps. If the user accepts, the app will close and remove its icon from the launcher, with the same code as SaveMe.
Stage 3: Wiping off the SD card
The last action performed by the malware is the deletion of all the files and directories of the external storage. Even if the user declined the device administration features, the function wipeMemoryCard() is called. This function uses Environment.getExternalStorageDirectory() to get the path to the external storage, and then calls File.listFiles() for iterating on files and uses File.delete() to delete each of them.
Stage 4: Intercepting SMS
A last feature that comes with the malware is the interception of incoming SMS. It is simply a receiver named SMSReceiver that is triggered by the SMS_RECEIVED intent. When an SMS is received, the malware automatically answers to the sender with the message “Elite has hacked you.Obey or be hacked”. The victim is not notified by the system about any incoming SMS because the receiver has a high priority (2147483647 in the manifest) and calls abortBroadcast() just after reading the message.
Other resources
- Angry Birds Transformers Trojan targets Android, warns ‘Obey or be hacked’
- Destructive Android Trojan poses as newest Angry Birds game
- New Android Malware Poses as Angry Bird Transformers, Wipes Device Clean
- Vandal Trojan for Android wipes memory cards and blocks communication
- Wipelocker: Obey or be hacked!
Triggering
Caracteristics
Malware type :
- Bricker / Eraser
Attacks :
-
Confidentiality
-
Integrity
-
Availability
-
Normal use
Infection technique : Standalone application
Malicious code type :
- Use Java code
Hidding techniques :
- Remove its launcher icon
Triggering techniques :
- Executed at launch
- Waits for a particular intent
Samples
Java source code extracts:
onCreate.java is the function called when the app is launched. We can clearly see the 3 steps described in the details section.wipeMemoryCard.java is the function used to erase all data on SD card, we can see inside a call to another function : wipeDirectory().
Async_sendSMS.java is the AsyncTask of the MyServices class which send SMS messages every 5 seconds.
getTopActivity.java is the function executed every 0.5 seconds by MyServices in order to block social apps.
HideAppFromLauncher.java is the function used to hide the launcher icon when the app become a device administrator.