New variants of Android.Lockscreen are using a simple, yet effective technique to improve their chances of successfully compromising devices. These new variants declare their main activity as part of the launcher category to get around the auto-start restrictions incorporated into Android 3.1 and all later versions.
We previously discussed how the Android OS will not allow applications to be launched automatically, unless they have been run by the user at least once, to prevent attackers from using malware that starts automatically. After Android implemented this protection mechanism, attackers began using social engineering tactics to get users to launch malicious applications so they could continue to run. More recently, attackers began using a new method that doesn't rely on the same old social engineering tricks to make sure their malware runs on infected Android devices.
The new Lockscreen variants act as part of the launcher category so that when a user presses the home button, the threat's main component will be listed as an alternative to Android's default launcher application. The malware is given a deceptive name to make it more likely the user will trigger it indirectly.
Figure 1 demonstrates what happens when the threat is installed on a user's device. At this point, the malicious application has already been installed, but not executed. Despite this, it still manages to get a trigger point through the launcher. In this specific instance, the malware has chosen the name “Android” for two reasons: firstly, since the launchers are listed alphabetically the malware will be listed above Android’s default launcher (named “Launcher”), secondly, the name “Android” may make some users believe the launcher is legitimate and part of the Android OS.
Figure 1. Android.Lockscreen variant registers main activity component as a launcher
Users can prevent the malware from running by carefully selecting the default Android launcher, or any other legitimate launcher that they may have installed, and choosing “Always” instead of “Just Once”. The malicious app should then be uninstalled.
Symantec and Norton products detect the threat discussed in this blog as:
Symantec recommends users follow these best practices to stay protected from mobile threats: