Insert, pull, shake
About two years ago, I wrote that the method of extorting money from users using desktop lockdown, which is common on Windows, can also be transferred to Android OS. Then it seemed no more than an assumption, but it turned out to be a prophecy.
Currently, there are hundreds of Trojans blocking the phone with their pop-up window demanding to transfer money to attackers.
Some malware to enhance the psychological effect of photographing a person with a front camera and put this photo on your screen, made in the form of a resolution of special services. For example, Android.Locker.7.origin does this
')
Neither the restart of the device, nor the frequent pressing of the hardware buttons help. The only thing that can be done to an unprepared person is to reset the phone settings by restoring the factory settings.
We at Doctor Web, in the antivirus development department for Android OS, have thought about how to help people?
The solution lay on the surface - when Dr.Web for Android anti-virus receives a certain signal, it can initiate the closure of all active applications, thus the Trojan-locker will be closed. After the locker is closed, the Dr.Web application comes to the fore to check the device for threats.
It remains to find this most definite signal. As it turned out, the task is not the easiest. The developers together with usabilityists made a criterion: the signal must be from the mechanical elements of the device, since The screen of the victim is locked.
Candidates
What is always on the phone based on Android OS?
Volume buttons.
As it turned out, the signal when the buttons are pressed louder-quieter is transmitted as a change in the volume level, and it is difficult to track the duration of pressing the key. Therefore, the option “hold down the volume up button for 15 seconds. and get an unlocked phone "disappears.
Headphone jack
Yes, the system transmits a signal about the appearance of headphones in the system.
Accelerometer
Yes, we can receive a signal about the change in the acceleration of the apparatus.
Charging socket
Yes, it is possible to receive a signal about the appearance of power from the network.
Attempt # 1
Like intelligent people, we decided to use a combination of signals to minimize false positives.
For the first attempt, we chose a combination: “insert-pull out headphones and shake the phone”.
Why this particular combination? Because everyone usually has headphones, and in this case, you can unlock your phone quickly and easily.
An application sensitive to such a combination was collected and given to people for testing.
Fidbek did not keep himself waiting: uncomfortable, the music disappears, the telephone conversation is interrupted, your antivirus appears on the screen.
When analyzing people's behavior, we identified several behaviors in which false positives occurred:
- people walk down the street, listen to music through headphones. When a call comes in, the person pulls the headset out of the phone and starts talking on the phone, for which he brings the phone to his ear. Instead of talking, he will see antivirus on the screen.
- people stick headphones, start music and start jogging. The music is interrupted. Instead, the player on the screen antivirus.
Attempt # 2
Becoming smarter, we decided to abandon the headphones in favor of charging. A person uses charging less often than headphones, we thought. The combination began to look like this: “insert-pull out the charge and shake the phone”.
An application with this combination was collected and given to people for a test.
Fidbeck just knocked us down with a barrage of negativity.
Parsing:
- USB-connectors do very badly, they “rattle”. The person does not notice this, but the signals are charge, there is no charge in the system flying with the frequency of the machine gun.
- a man loves to play, holding the phone on charge! He connected the phone to the network and jumped on the couch to play.
- a person throws the phone on the table after connecting to the network.
- contactless charging jar more often USB-connectors.
- the saddest experience is, of course, to put the phone on charge, open Google Maps and, having gone by car, jump on the very first hole in the road surface and see the antivirus window instead of cards.
Attempt number 3
Through trial and error, we came to the third, final combination: charging, headphones and shaking.
This combination turned out to be the most resistant to false positives.
And in this form, it exists and helps millions of users of the Dr.Web for Android anti-virus.
Although I should note, when you advise the victim to perform such a combination to unlock the phone, the person always asks: “Are you kidding?”.
No, use it.
Currently, there are hundreds of Trojans blocking the phone with their pop-up window demanding to transfer money to attackers.
Some malware to enhance the psychological effect of photographing a person with a front camera and put this photo on your screen, made in the form of a resolution of special services. For example, Android.Locker.7.origin does this
')
Neither the restart of the device, nor the frequent pressing of the hardware buttons help. The only thing that can be done to an unprepared person is to reset the phone settings by restoring the factory settings.
We at Doctor Web, in the antivirus development department for Android OS, have thought about how to help people?
The solution lay on the surface - when Dr.Web for Android anti-virus receives a certain signal, it can initiate the closure of all active applications, thus the Trojan-locker will be closed. After the locker is closed, the Dr.Web application comes to the fore to check the device for threats.
It remains to find this most definite signal. As it turned out, the task is not the easiest. The developers together with usabilityists made a criterion: the signal must be from the mechanical elements of the device, since The screen of the victim is locked.
Candidates
What is always on the phone based on Android OS?
Volume buttons.
As it turned out, the signal when the buttons are pressed louder-quieter is transmitted as a change in the volume level, and it is difficult to track the duration of pressing the key. Therefore, the option “hold down the volume up button for 15 seconds. and get an unlocked phone "disappears.
Headphone jack
Yes, the system transmits a signal about the appearance of headphones in the system.
Accelerometer
Yes, we can receive a signal about the change in the acceleration of the apparatus.
Charging socket
Yes, it is possible to receive a signal about the appearance of power from the network.
Attempt # 1
Like intelligent people, we decided to use a combination of signals to minimize false positives.
For the first attempt, we chose a combination: “insert-pull out headphones and shake the phone”.
Why this particular combination? Because everyone usually has headphones, and in this case, you can unlock your phone quickly and easily.
An application sensitive to such a combination was collected and given to people for testing.
Fidbek did not keep himself waiting: uncomfortable, the music disappears, the telephone conversation is interrupted, your antivirus appears on the screen.
When analyzing people's behavior, we identified several behaviors in which false positives occurred:
- people walk down the street, listen to music through headphones. When a call comes in, the person pulls the headset out of the phone and starts talking on the phone, for which he brings the phone to his ear. Instead of talking, he will see antivirus on the screen.
- people stick headphones, start music and start jogging. The music is interrupted. Instead, the player on the screen antivirus.
Attempt # 2
Becoming smarter, we decided to abandon the headphones in favor of charging. A person uses charging less often than headphones, we thought. The combination began to look like this: “insert-pull out the charge and shake the phone”.
An application with this combination was collected and given to people for a test.
Fidbeck just knocked us down with a barrage of negativity.
Parsing:
- USB-connectors do very badly, they “rattle”. The person does not notice this, but the signals are charge, there is no charge in the system flying with the frequency of the machine gun.
- a man loves to play, holding the phone on charge! He connected the phone to the network and jumped on the couch to play.
- a person throws the phone on the table after connecting to the network.
- contactless charging jar more often USB-connectors.
- the saddest experience is, of course, to put the phone on charge, open Google Maps and, having gone by car, jump on the very first hole in the road surface and see the antivirus window instead of cards.
Attempt number 3
Through trial and error, we came to the third, final combination: charging, headphones and shaking.
This combination turned out to be the most resistant to false positives.
And in this form, it exists and helps millions of users of the Dr.Web for Android anti-virus.
Although I should note, when you advise the victim to perform such a combination to unlock the phone, the person always asks: “Are you kidding?”.
No, use it.
Source: https://habr.com/ru/post/259131/
All Articles