This is an analysis of sample sha256
73fae61d9550186c9b68c0e3a0589f1faaa87f6a9dc8290f98aaf55db3a58350, which was uploaded to VirusTotal on July 1, 2021. It is detected as Android/Locker.CQ!tr. This malware appears as a test screen locker, with an explicit application icon “Virus”, and very few classes.
Most of Quark rules match with only little confidence. They are not relevant. With the custom set of rules, only one relevant crime shows up:
Locking the screen
We disassemble the code. There are only 5 classes of interest:
The main activity (named MainActivity) sets up the ADRTLogCatReader class and starts MyService service.
ADRTLogCatReader communicates with another Android applications, whose package name is “com.aide.ui”. This is probably a debugging app implemented by the author. The class starts a thread that reads the system logs (using the logcat command we detected with Quark) and sends them line by line to the debugging app (the remaining functionalities in
ADRTSender are not used).
MyService implements the malicious behaviour in a few lines. The idea consists in displaying a window which cannot be deleted on top of other things.
The lock screen window consists of the malware’s icon (
setImageResource), a button (resources reveal this button is named “Unlock Devices”), an edit text, a red background (
setBackgroundColor). The window is:
- Centered (gravity to
TYPE_PHONE. Read Android documentation and learn those are “non-application windows providing user interaction with the phone (in particular incoming calls). These windows are normally placed above all applications, but behind the status bar. In multiuser systems shows on all users’ windows.”
FLAG_ALLOW_LOCK_WHILE_SCREEN_ON, i.e the screen can by locked while the window is displayed.
- Width and height are set to -2, which corresponds to
Unlocking the screen
Fortunately, there is a way to get rid of this window.
The implementation of
onClick() shows that if one enters the string “moises” in the edit field, it will kill the window.
This malware is very simple, coded in a few lines, nothing stealthy nor tricky about it. Therefore, my guess is that it is written by a student or wannabe attacker.
If you are a computer security student or teacher, please refrain from doing so. Obviously your code which was meant just for you or a couple of “friends” ended up in the wild, where it can be used and abused beyond your intent. We, malware analysts, already have tons of malware samples to analyze. Want to work on something cool? Try reversing malware! You will learn as much, and your actions will be positive.