Archive | March 30, 2015

Android Locker Trojan in the wild

Android package file
The Trojan may arrive as a package with the following characteristics:

Package name: Nero.lockphone
Version number: 1.0

When the Trojan is being installed, it requests permissions to perform the following actions:

  • Access information about the Wi-Fi state.
  • Change Wi-Fi state
  • Start once the device has finished booting
  • End background processes
  • Access list of current or recently running tasks
  • Prevent processor from sleeping or screen from dimming
  • Send SMS messages

Once installed, the application will display an icon with a picture of a red-haired boy on a bicycle.

When the Trojan is executed, it creates a service with the following name:

  • killserve

Next, the Trojan locks the screen to block the user from accessing the compromised device.