A basic / test locker for Android

This is an analysis of sample sha256 73fae61d9550186c9b68c0e3a0589f1faaa87f6a9dc8290f98aaf55db3a58350, which was uploaded to VirusTotal on July 1, 2021. It is detected as Android/Locker.CQ!tr. This malware appears as a test screen locker, with an explicit application icon “Virus”, and very few classes.

Overview

Most of Quark rules match with only little confidence. They are not relevant. With the custom set of rules, only one relevant crime shows up:

Locking the screen

We disassemble the code. There are only 5 classes of interest: MainActivity, MyService, BootReceiver, ADRTLogCatReader and ADRTSender.

The main activity (named MainActivity) sets up the ADRTLogCatReader class and starts MyService service.

ADRTLogCatReader communicates with another Android applications, whose package name is “com.aide.ui”. This is probably a debugging app implemented by the author. The class starts a thread that reads the system logs (using the logcat command we detected with Quark) and sends them line by line to the debugging app (the remaining functionalities in ADRTSender are not used).

MyService implements the malicious behaviour in a few lines. The idea consists in displaying a window which cannot be deleted on top of other things.

The lock screen window consists of the malware’s icon (setImageResource), a button (resources reveal this button is named “Unlock Devices”), an edit text, a red background (setBackgroundColor). The window is:

  • Centered (gravity to CENTER),
  • Type TYPE_PHONE. Read Android documentation and learn those are “non-application windows providing user interaction with the phone (in particular incoming calls). These windows are normally placed above all applications, but behind the status bar. In multiuser systems shows on all users’ windows.
  • Flag FLAG_ALLOW_LOCK_WHILE_SCREEN_ON, i.e the screen can by locked while the window is displayed.
  • Width and height are set to -2, which corresponds to WRAP_CONTENT.

Unlocking the screen

Fortunately, there is a way to get rid of this window.

The implementation of onClick() shows that if one enters the string “moises” in the edit field, it will kill the window.

Wannabe attacker?

This malware is very simple, coded in a few lines, nothing stealthy nor tricky about it. Therefore, my guess is that it is written by a student or wannabe attacker.

If you are a computer security student or teacher, please refrain from doing so. Obviously your code which was meant just for you or a couple of “friends” ended up in the wild, where it can be used and abused beyond your intent. We, malware analysts, already have tons of malware samples to analyze. Want to work on something cool? Try reversing malware! You will learn as much, and your actions will be positive.

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.