Contributor: Shaun Aimoto
Symantec has found an Android ransomware variant (Android.Lockdroid.E) that uses new tactics, involving a fake package installation, to trick users into giving the malware device administrator rights. As well as encrypting files found on the compromised device, if administrator rights are obtained, the malware can lock the device, change the device PIN, and even delete all user data through a factory reset.
Ransomware extortion methods
Android ransomware has a number of means to extort victims. In the most common case, once a victim has downloaded and installed a fake or Trojanized app, the malware locks the screen and displays a bogus alert claiming the user had accessed forbidden materials. Meanwhile, the malware gathers the victim’s contacts list and encrypts data in the background. Users will then be prompted to pay a ransom, threatened by the loss of the encrypted data and the submission of the user’s browsing history to all their contacts.
More aggressive techniques depend on a little social engineering to convince the user to activate the app to be a device administrator. In the past, this was done by the app showing the system device administrator activation dialog with a misleading description (Figure 1). This privilege escalation enables the app to lock the device screen, reset the device PIN, or perform a factory reset. Additionally, it prevents the user from uninstalling the malware, either through the user interface (UI) or through a command line interface. These more aggressive techniques, added to the ability to encrypt files, may make all the difference for attackers when it comes to extorting payments from victims.
Figure 1. Administrator activation dialog with misleading description
Clickjacking step by step
However, this new ransomware variant has leveled up, adopting more sophisticated social engineering to gain administrator rights. Once the malicious app (a fake porn-viewing app in this case) is installed and run by the user, the system activation dialog is called up and covered by a fake “Package Installation” window (Figure 2). The user believes they are clicking “Continue” to install a necessary Google-related package but, in actuality, they have taken the first step in activating the malicious app as a device administrator, which grants all the required capabilities the malware needs to run its more aggressive extortion.
Figure 2. Fake Package Installation dialog
The first step is the fake Package Installation dialog shown in Figure 2. While this dialog is displayed, in the background the app is encrypting all the files located on external storage and collecting the user’s sensitive information. Once “Continue” is clicked, the app invokes the device administrator requesting API. Normally, the system activation dialog should be on the top UI layer. However, this malware variant uses a TYPE_SYSTEM_ERROR window (Figure 3), which is displayed on the highest layer and therefore covers the device administration activation dialog. The TYPE_SYSTEM_ERROR window used by the malware is designed to look as though it is a message dialog that has to do with the unpacking of components for the package installation. However, this is not what is happening and the malware is just waiting for a short time without doing anything.
Figure 3. Fake “Unpacking the components” dialog
After the false delay, a final “Installation is Complete” dialog is presented. It’s this step that tricks the user into giving the malware elevated privileges. The “Installation is Complete” dialog is actually a TYPE_SYSTEM_OVERLAY window. The key characteristic of this window type is that it cannot take any input focus. That means the window cannot respond to UI operations such as button clicks. However, the window below it—in this case the device administration activation dialog—can. As can be seen in Figure 4, comparing the layout of the deceptive “Installation is Complete” dialog with the device administrator activation dialog, we can see that the “Continue” button is positioned perfectly over the “Activate” button. Effectively, this means that once the user hits the “Continue” button they are actually pressing the “Activate” button.
Figure 4. Clickjacking overlay
Other malicious uses
This clickjacking technique can also be used to perform other malicious activities. An example is root permission management, a tool that is ubiquitous among the growing rooted device user base. This tool listens on the system for any app trying to elevate its privileges to root (by calling “su”) and presents a dialog to the user asking permission on behalf of the app before allowing it to proceed. Using the above window overlaying trick, malware could circumvent this safety feature and operate freely.
Starting from Android 5.0 (Lollipop), the platform prevents the previously mentioned dialog types from displaying over the system permission dialog. As a result, this clickjacking technique only affects devices running versions of Android older than Android 5.0; however, this amounts to almost 67 percent of Android devices.
The malware is disguised as a porn app called Porn ‘O’ Mania. The malicious app is not found on Google Play and may be downloaded from third-party app stores, forums, or torrent sites. Users who have Google Play installed are protected from this app by Verify Apps even when downloading it outside of Google Play. Symantec advises users to only download apps from trusted app stores.
The following measures are also recommended to help users to protect their devices against threats:
Symantec and Norton products detect this threat as Android.Lockdroid.E.