Early launch Android malware: your phone is 0wned

Reserve paper

Samir Mody K7 Computing
Dhanalakshmi V K7 Computing

The recent Android ransomware Koler/Simple Locker, despite leaving the device's contents unencrypted, necessitated special manual cleanup actions or dedicated cleanup tools from AV companies. The reason for this was very simple. The malware, granted Device Administrator status through clever social engineering, registers callbacks to Android OS daemon broadcasts, and persistently reacts first to these stimuli such that a splash screen with ransomware demands is displayed before the hapless user has the opportunity to access the GUI of the installed AV solution to effect a scan and cleanup. This behaviour even survives a reboot.

It is possible to recover from this unenviable situation by returning the device to factory settings, fiddling about with buttons to obtain 'safe mode', uninstalling the malware via the ADB, or by using dedicated tools, but these options are far from ideal for the device's owner.

The simple example above demonstrates the ease with which mobile security solutions can be rendered impotent even when the malware can be detected with ease. It sets a dangerous precedent for dealing with far more obdurate malware including those that could burrow deep into the OS. We ought not to wait for these scenarios before acting.

This presentation will demo a sample of Koler in action, highlighting the difficulties faced in attempting to clean the infection. We investigate the Android OS daemon broadcast framework and boot mechanism in detail, identifying stages which could present opportunities for malware to 'hook' into, highlighted by an analysis of the Koler code which registers the callbacks to display the splash screen within intervals of a couple of seconds. Finally, we propose an updated boot and broadcast framework that would enable trusted applications such as mobile security apps to launch before any other application, thus strengthening the hand of AV companies in the absence of a bona fide Real-Time Scanning ability on Android.

Click here for more details about the conference.

Samir Mody

Samir Mody

Samir Mody graduated from the University of Oxford in 2000 with a Master's degree in chemical engineering, economics and management. Immediately after graduation he joined Sophos where he spent over nine years, the latter three of them as Threat Operations Manager of SophosLabs, UK. Since August 2010, as Senior Manager TCL, he has been running the Threat Control Lab at K7 Computing's head office in Chennai, India. Samir has actively contributed to the IEEE Taggant System project (http://standards.ieee.org/develop/indconn/icsg/amss.html) from its inception, and other industry initiatives such as AMTSO. He has co-authored and/or presented papers and participated in panel discussions at multiple international security conferences including EICAR, VB, and AVAR, and Government of India initiatives such as the National Cyber Safety Summit. Samir has also contributed to Virus Bulletin magazine, and of course to K7's blog (http://blog.k7computing.com). Samir's personal interests include reading (philosophy, politics, history, literature and economics), sport and classical music.

Dhanalakshmi V

Dhanalakshmi V

V.Dhanalakshmi, Senior Threat Researcher, has been with K7 Computing, Chennai, India for six years in K7's Threat Control Lab. Dhana graduated from Bharathiyar University, India in 2003 with a Bachelor's degree in electrical and electronics engineering. She started her career in March 2006 as Technical Support Executive - Virus Removal Team with Sutherland Global Services, Chennai. Later, she joined Technosoft Global Services, Chennai, and served as Threat Research Analyst till June 2008. She has presented papers at AVAR 2011 and AVAR 2013 conferences, and at the National Cyber Safety Summit 2013 conference organised by the Government of India. Her interests include listening to music and gardening.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.