A basic / test locker for Android

Overview

The sample’s name is explicit: “Virus”. The package name evocates a test malware written by a student or wanna-be malware author. MobSF says the sample is “secure”. Beware: this means the sample’s implementation does not have obvious vulnerabilities in it, not that the sample is “safe to use” (it is malicious!).
The malware apparently executes a shell command in its class ADRTLogCatReader. Indeed, if we check the code, we see it issues “logcat -v threadtime”. This displays system logs with the date, invocation time, priority, tag, and the PID and TID.

Locking the screen

Note lines ADRTLogCatReader.onContext, and startService(…)
The service displays the lock screen window.
  • Centered (gravity to CENTER),
  • Type TYPE_PHONE. Read Android documentation and learn those are “non-application windows providing user interaction with the phone (in particular incoming calls). These windows are normally placed above all applications, but behind the status bar. In multiuser systems shows on all users’ windows.
  • Flag FLAG_ALLOW_LOCK_WHILE_SCREEN_ON, i.e the screen can by locked while the window is displayed.
  • Width and height are set to -2, which corresponds to WRAP_CONTENT.
Lock screen in action. Exactly as we worked out through reverse engineering: red window with button and edit text, on top of the rest.

Unlocking the screen

Method onClick() is called when the user clicks on the button “Unlock Devices”

Wannabe attacker?

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Word Scenery Hack Free Resources Generator

BlackHoleDAO Dividend Settlement Announcement

Chinese Whispers: Unlocking the Potential for Profit in China’s Modern IP & Prosecution Landscape

Chinese Whispers: Unlocking the Potential for Profit in China’s Modern IP & Prosecution Landscape

Clean up your digital hygiene

THORChain Testnet4 Ready for Public Nodes

Nexity Network | Whitelist Guidelines

Challenges faced by Networks During Pandemic(COVID-19)

Protect Your Windows 10 From Being Infected By “Dirty” AutoRun USB Scripts Permanently

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

OWASP UnCrackable App for Android Level 1 — Walkthrough

Mobile Static Analysis using Scrounger Framework

Analysis of Android malware faking Korean bank application

Android Pentesting-Setting up lab