FANDOM


Wipelocker is a ransomware trojan that affects Android. It is packaged as com.elite.

The Wipelocker Trojan is not created to make money or to steal sensitive information. It never asks for a ransom fee to unlock the device unlike the similar Trojan “Simplocker” and it does not send an SMS message to a premium number.  

It is believed that it is a modified version of Elite due to its aliases. 

Behavior

It behaves similar to Elite as it does the same thing except it doesn't deep watch.

Payload

Tranmission

The Trojan was available for download on third party Android app stores under the name “Angry Bird Transformers”. The user is able to download the app but has to install it manually. This means that the user has to go to settings and allow installation of “Unknown sources” to be able to install the Trojan.
20142810 img3

the .apk file that leads to the infection. Notice that it saids "angry bird" instead of "angry birds"


Once installed, the Android application asks for permission to RECEIVE_BOOT_COMPLETED when installed. The application adds the BOOT_COMPLETED receiver that notifies the Trojan after the phone has been rebooted and then starts the malicious services.  

Infection

When installing the fake Angry Birds Transformers, it asks for administrator, then the Trojan runs a method called “wipeMemoryCard()”. This method deletes every single file on the user’s SD card.  

After this is done, the Trojan then sends multiple SMS messages to every single contact in the user’s phone book every 5 seconds. The messages that the Trojan sends is "HEY!!! [Name of contact] Elite has hacked you. Obey or be hacked" getString(2131230726) returns <string name="msg">Elite has hacked you.Obey or be hacked.</string>.  

doInBackground method creates the SMS message with the content. The method tries to send SMS message every 5 seconds (Thread.sleep(5000L)). sendSMS uses the telephony receiver to send multipart text message. Screen locking does not occur if a package named com.hellboy is installed on the device.  

If the user opens a social media app like Google Hangouts or Facebook, the user will get a screen with the android mascot wielding a smg and wearing a Guy Fawkes mask with big text saying: 

"OBEY or Be HACKED"

List of permissions

  • android.permission.GET_TASKS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.READ_SMS
  • android.permission.WRITE_SMS
  • android.permission.READ_CONTACTS
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.WRITE_SETTINGS
  • android.permission.WAKE_LOCK
  • android.permission.BIND_DEVICE_ADMIN
Community content is available under CC-BY-SA unless otherwise noted.