We came across a tweet about a lock screen app which installs ransomware by faking itself as a legitimate app, so that users are tricked into falling prey. This approach by the threat actor was quite interesting considering the fact that there were no ransom demands and the key to unlock the device has been hardcoded in the app.  In this blog, we will be explaining the technical aspects of the app which was developed by an attacker to lock the screen of a user’s device. 

Technical Details

Once the app “gbwhatsapp.apk“ ( Hash: 70273ee146260bafb1cc136a0249e2a2 ) is installed as shown in Figure 1, it seems to execute a shell command in its class ADRTLogCatReader. In the code shown in Figure 2, we can see it uses the command “logcat -v threadtime”.  The shell command adb logcat -v threadtime displays the date, invocation time, priority, tag, and the PID and TID of the thread issuing the message. 

Figure 1:  “gbwhatsapp.apk“ installed on the device
Figure 2: Code using shell command

In the main activity, it looks like this app was developed on AIDE “com.aide.ui”, a tool to develop Android apps directly on an Android device as shown in Figure 3, and the main activity starts a service named MyService

Figure 3: ADRTLogCatReader communicates with com.aide.ui for debugging

MyService invokes the malicious behaviour of the app. The idea behind this is displaying a lock screen window which cannot be exited until the correct key is entered. WindowManager displays a window on top of the screen and makes it persist using the function Toast.makeTest().show() as shown in Figure 4.

Figure 4: Code to display lock screen 

The lock screen consists of a note which can be seen from resource field “ransomware virus sistem lock” and “you sistem already lock dont any restart or uninstall thisfile cant damage and default virus for information call ask (Variants19crew)….” as shown in Figure 5 and Figure 6.

Figure 5: Code containing note to be displayed
Figure 6: Lock screen display

Fortunately, there were no ransom demands and the key to unlock the device has also been hardcoded which can be used to get rid of this window as shown in Figure 7. When the user unlocks the device by entering the string “anonymous86”, it will kill the app.

Figure 7: Code for gbwhatsapp.apk to unlock the device

There are scenarios where the malware author demands a ransom for the app “instagramgold.apk” as shown in Figure 8. The lock screen consists of a note which can also be seen from resource field “POOLS CLOSED” and “As you can see your phone has been hacked and with that, all of you information, right now as we speak is being uploaded to a magical place for exploitation. However this can be avoided. we’d like $1000.00 send to this bitcoin address bc1qj7a82wmtmm8a4vt2z93jxn5cemfjztnqffn0e9 within 24hrs or life gets worse. Cheerio

Figure 8: Lock screen demanding ransom

Fortunately, the key to get rid of this lock screen window is hardcoded. The device can be unlocked by entering the string “17317071” as shown in Figure 9 which kills the app.

Figure 9: Code for instagramgold.apk to unlock the device

This malware author is spreading a fake lock screen app resembling legitimate apps such as WhatsApp, GitHub, Netflix, Instagram Gold, Spotify, etc. However, while some of the apps of this type demand a ransom to unlock the device’s screen, a few others don’t. That said, we at K7 Labs are constantly monitoring such campaigns. We recommend users to avoid believing in such third party apps and break the chain in spreading these fake apps.

Indicators of Compromise (IOCs)

Package nameHashDetection Name
gbwhatsapp.apk70273ee146260bafb1cc136a0249e2a2Trojan ( 0057c6481 )
instagramgold.apk0f7457d6265894866179aae48e02ab54Trojan ( 00533ef71 )
github.apk9f976a60bf58d8331f4444eadb8bb6ecTrojan ( 0057c6481 )
netflix_mod.apkb21d22ac5d9274d0b3fea13b1b5b03e0Trojan ( 00533ef71 )
whatsapp.apk133b2254b7476b74a0bec7f78403b4c2Trojan ( 00533ef71 )
netlixmod.apkdd89c6495618a9ba6f60b7a2b0e0feecTrojan ( 00533ef71 )
insta.apk19f4ace950b6a24158b3d04621971308Trojan ( 0057c6481 )
instagram.apkf4b5e57707e35c7aedf13565df937dcaTrojan ( 00533ef71 )
spotifymodbyking.apka57fd47adfeb0ad3d5e18e3bf3b73dacTrojan ( 0057c6481 )
netflix.apk5ab43fb6ebbccee413b829297a9115feTrojan ( 00533ef71 )
netflixhack.apk38eb57feecc37c440abc79ea3d41892fTrojan ( 00533ef71 )
tiktokcrack.apk1a0966aa51290d1d33c7a4c977a51015Trojan ( 00533ef71 )
whatsappbannedpremium.apk4ffc021026119e3fc9ad76bb7a2b3db7Trojan ( 00533ef71 )
whatsapp-banned.apk3ebbd21ba983a4e718da9a1f45788a23Trojan ( 0057c6481 )
spotify.apk72883d06b5df665b318d626df32e6f80Trojan ( 0057c6481 )
youtubepremium.apk0aba07866fbb4c0ec42831aa24d22c7cTrojan ( 0057c6481 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Beware of this Lock Screen App”