Android/PrnLocker.A!tr

Analysis

Android/PrnLocker.A!tr.dldr is a piece of malware targetting Android mobile phones.
The malicious package generally comes within or disguised as an application for viewing for pornographic videos or as a browser update.
However, in the background, it installs a Trojan horse contained within itself on the phone, that periodically leaks Build information about the phone as well as contact information, call logs and pictures taken.
Lastly, it inhibits regular usage of the phone by retaining a message on the phone stating the system is being updated.
The main applications generally come as a BrowserUpdate, in packages named "edu.greenhouses.icing", "net.elite.combinations" etc. In some cases, it is also found contained within and loaded by Android/PrnLocker.A!tr.dldr Upon launch, the application requests Device Administrator Privileges, which, if granted, make uninstallation of the application tricky.

Fig1 : Request for Device Administrator Privileges
The package is obfuscated and encrypts the main strings used by the package. An example of the decrypted configuration strings is :

[overanxious, diffusivity, 62, android.intent.action.VIEW, 
data, topology, removeActiveAdmin, display_name, com.android.settings.DeviceAdminAdd, 
android_id, degraded, seclocktexts, waitlock, abloom, web1: , ce, le, indeed, hacks, se, 
javascript:badCode(), id, params.png, EGZrUeYMICRj1CeRXt0VNQ==, android.intent.action.MAIN, 61, 
,, Tap ACTIVATE to continue with software update. By tapping CANCEL you can interrupt 
installation process and cause lost of data, 17, rws, generosity, ENETUNREACH, 5, fat, 0, 
seclock, add, file:///android_asset/none.html, ___, 14, exception , AES, 9, energy, cam1, .apk, 
15, requestLocationUpdates, mockup, chalice, speedily, badcode, svc, power, 
android.hardware.camera.front, outvoted, floppy, .html, phone, phones, .jpg, ., 6, 
android.hardware.camera, hardlock, r, thatcher, alarm, 1, da1, vurl, loadInstallData, same, 
apkfile, fewness, com.android.settings, utf-8, reinsurance, 3, javascript:loadImage(), package:,
market://details?id=, 4, , android.intent.action.SCREEN_OFF, android.app.action.ADD_DEVICE_ADMIN, com.android.vending, 11, notification, android.intent.action.USER_PRESENT, 
android.intent.category.HOME, 16, 5.4, hxxp://pXXXXXy.biz, simplify, 2, connectivity, [], 
rephrase, beleaguered, onced, 8, tripoli, destabilise, android.intent.action.DELETE, device_policy, network, 
hxxp://seXXXXXXXXbe.biz, spellable, alluvia, android.intent.action.BOOT_COMPLETED, html, report, 
com.android.packageinstaller, 12, 10, unlock, unashamedly, com.android.launcher, 7, location, webapi, 
number, palming, tpsc, gps, ?p=, android.app.extra.ADD_EXPLANATION, prohibitively, activity, dispossession, 
enhancements, android.intent.action.SCREEN_ON, meaninglessly, null, file:///android_asset/index.html, S, 
file://, force-locked, N, softlock, result, none, window, yyyy-MM-dd HH:mm:ss.SSS, bearing, 
android.permission.READ_SMS, 60, index.html, fri, grills, android.app.extra.DEVICE_ADMIN, rurl, 
application/vnd.android.package-archive, com.android.packageinstaller.PackageInstallerActivity, date DESC, trademark, 13, ]

The malware collects information from the phone and mainly sends out 2 kinds of HTML POST messages with different parameters explained below:

• report These messages are sent after the malware is installed and every time a picture is taken from the infected phone. The parameters Build Information, details of saved contacts and log information from attempts to launch the front camera.
• data These messages include parameters pertaining to Build Information, Call logs, Installed package information and Location info. The messages are sent in AES encrypted, then Base-64 encoded format.

The malware deletes any files with the extension .apk on the phone's external memory, probably to destroy any backups, making recovery difficult. However, none of the user's information is deleted. Apart from sending information, the malware blocks the phone at a (fake) message screen specifying the phone is updating (Fig2). This page is obtained from none.html in the package assets.

Fig2 : Screen Lock
Permissions required by the application:

• INTERNET
• READ_PHONE_STATE
• WAKE_LOCK
• ACCESS_NETWORK_STATE
• RECEIVE_BOOT_COMPLETED
• PROCESS_OUTGOING_CALLS
• WRITE_EXTERNAL_STORAGE
• WRITE_CONTACTS
• WRITE_SETTINGS
• SYSTEM_ALERT_WINDOW
• CAMERA
• GET_TASKS
• ACCESS_COARSE_LOCATION
• ACCESS_FINE_LOCATION
• ACCESS_COARSE_UPDATES
• READ_CONTACTS
• READ_PROFILE
• READ_CALL_LOG

Certificate information:

• Owner: CN=, OU=, O=, C=
• Issuer: CN=, OU=, O=, C=

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.