Pierluigi Paganini
November 08, 2016
Blatant malicious behavior of the Locker virus
The Locker virus can easily be identified by its blatant malicious behavior. Here are the tell-tail signs:
A screenshot of an infected phone.
Infections of the Locker virus
The worst-hit areas of the Locker virus in China are shown in Figure 1 below. There are about 3,000 users infected on daily basis.
Figure 1. Locker virus infections in China
Figures 2 and 3 show the Locker virus infections worldwide in the last 15 days. The overall number of infections diversified, most of them in Russia.
Figure 2. Locker virus infections worldwide in the last 15 days.
Figure 3. Map view of the Locker virus infections worldwide in the last 15 days.
Don’t be tricked by the Locker virus
The Locker virus mainly disguises itself as system applications, like Android Update, Voice Assistant, and Adobe Flash Player. However, it can also appear as other applications, like adult video players, bank apps, and popular games, as shown in Figure 4.
Figure 4. The many disguises of the Locker virus.
How does the Locker virus work?
Here are the various methods the Locker virus uses to lock a mobile screen:
Added in API level 1
int TYPE_SYSTEM_ERROR
Window type: An internal system error windows appear on the top of the screen. In multi-user systems, it only appears on the primary user’s window.
Constant Value: 2010 (0x000007da)
The internal system error window is displayed in front of all other windows (Figure 5).
Figure 5. The internal system error window.
FLAG_FULLSCREEN
Added in API level 1
int FLAG_FULLSCREEN
Window flag: All screen decorations (such as the status bar) are hidden when an app window with a flag set is on the top layer. This allows the window to use the entire display. A fullscreen window will ignore a value of SOFT_INPUT_ADJUST_RESIZE for the window’s softInputMode field; the window will stay fullscreen and will not resize.
Constant Value: 1024 (0x00000400)
It will hide all other content on the screen and only allow the current window to use the fullscreen.
FLAG_LAYOUT_IN_SCREEN
Added in API level 1
int FLAG_LAYOUT_IN_SCREEN
Window flag: It will place the window within the entire screen, ignoring decorations around the border (such as the status bar). The window must correctly position its content to take the screen decoration into account. This flag is normally set (see Figure 6) by the WindowManager, as described in setFlags(int, int).
Constant Value: 256 (0x00000100)
It places the window on the whole screen.
Figure 6. This flag is normally set by the WindowManager.
Added in API level 1
int TYPE_PHONE
Window type: Non-application windows provide user interaction with the phone (such as incoming calls). These windows are normally placed above all applications but behind the status bar. In multi-user systems, it shows on all users’ windows.
Constant Value: 2002 (0x000007d2) – as shown in Figure 7
This window will be covered when there’s an incoming phone. Otherwise, the window is always in the top position, under the status bar.
Figure 7. The window will be covered when there’s an incoming call.
Added in API level 1
int TYPE_TOAST
Window type: These are transient notifications. In multi-user systems, it only shows on the primary user’s window.
Constant Value: 2005 (0x000007d5)
This window does not belong to the floating window, but it has the floating window’s function and can be displayed on the top layer (Figure 8).
Figure 8. The window can be displayed on the top layer.
The virus keeps displaying the top layer activity. If the top layer is not activated, the virus will close and reopen it (Figure 9).
Figure 9. Circular display of the top layer activity.
When the virus obtains administrator privileges, it changes the screen lock password (Figure 10).
Figure 10. With administrator privileges, the virus can change the lock screen password.
Of all the methods mentioned above, the virus most frequently uses the flag TYPE_SYSTEM_ERROR to lock the screen. The second most common method is the circular display of the top layer activity. The proportion of these two methods are 16% and 84%, respectively, as shown in Figure 11.
Figure 11. The virus most frequently uses the flag TYPE_SYSTEM_ERROR to lock the screen.
Ways to protect your mobile phone
You can protect your mobile device from the Locked virus. Here’s how:
Got Locked? We have solutions!
Here are some solutions to get rid of the Locked virus if your mobile device is infected:
[adrotate banner=”9″]
Written by Cheetah Mobile Security Research Lab
Edited by Pierluigi Paganini
(Security Affairs – Locker Virus, malware)
