{
	"id": "80046163-0c99-489d-8e11-cf1e4b1369d2",
	"created_at": "2026-04-06T00:11:19.893732Z",
	"updated_at": "2026-04-10T13:12:57.305563Z",
	"deleted_at": null,
	"sha1_hash": "39c636cd90395fa8383d40d020c0bcc4a3c37994",
	"title": "Android SLocker Variant Uses Coronavirus Scare to Take Android Hostage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 411619,
	"plain_text": "Android SLocker Variant Uses Coronavirus Scare to Take Android\r\nHostage\r\nBy Silviu STAHIE\r\nArchived: 2026-04-05 17:09:53 UTC\r\nThe coronavirus pandemic is an opportunity for criminals who try to take advantage of people’s thirst for\r\ninformation. Unfortunately, Android users can fall prey to malware attacks using the COVID-19 cover, especially\r\nif they sideload apps by circumventing the installation process through the official Play Store.\r\nUsers are always facing risks when using technology, especially when it’s connected to the Internet. One of the\r\nways to increase your possible exposure to Android malware is to install apps outside of regular vendor-endorsed\r\nchannels..\r\nAnd what better way to get people’s attention than by using an app that’s simply called “About Koronavirus.”\r\nUsers with a voracious appetite consume everything that’s coronavirus-related, and in this case, the app would\r\nlock the screen of the phone, prompting people to pay for a code to return the control of their device.\r\nWhile it’s not as damaging as ransomware, the average user will have a hard time distinguishing between threats,\r\nas the result is the same, and that’s getting locked out of your device.\r\nSideloading is dangerous\r\nPeople should generally be wary of installing applications from sources outside of official ecosystems, like the\r\nPlay Store. It’s a sure way of compromising a phone, whether it’s through malware designed to lock the phone or\r\nto steal personal or financial information.\r\nBitdefender telemetry picked up a malware variation of a SLocker – a consecrated piece of malware that locks the\r\nuser out. The phone itself and the data are not affected, but the phone becomes unusable, as the home screen is no\r\nlonger accessible. It’s not a terribly clever piece of software – and it could’nt be much more, given how Android is\r\nbuilt – , and there are ways to remove it even after it became active.\r\nThe app is called “Koronavirus haqida”, which translates into “About Coronavirus.” The package name is\r\n“com.lololo” (MD5: 476b68a650223780ec73f804e639b7ce) and after the user installs the application and runs it,\r\nthe screen is locked and displays a simple ransomware message, in the Uzbek language.\r\nTo make the threat even more convincing, the attacker says that you can only pay within 20 minutes, after which\r\nthe phone won’t be usable. The good news is that the time limit is false, as there’s nothing like that implemented\r\nin the code. The bad news is that the phone is genuinely locked, which means that none of the buttons will work,\r\nand it survives a system reboot.\r\nDepending on the Android version, the SLocker will behave differently, depending on the level of access\r\npermitted by the OS. Newer Android versions, from 8.0 and upwards, won’t allow the app to lock the buttons, but\r\nhttps://www.bitdefender.com/en-us/blog/labs/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage\r\nPage 1 of 4\n\nusers still can’t delete the app normally.\r\nThis is the rough translation:\r\nCongratulations!\r\nYour phone is blocked! You have 20 minutes to enter the code, otherwise the phone will not turn on\r\nagain …\r\nDon't see this as an arbitrary message, it will be difficult for you 🙁\r\nUnlock password\r\nExact time\r\nTo unlock the code, call +998 998 910 312 Make 8000 paynet and get the code. (Don't ask for the code\r\nwithout Paynet, I won't tell you anyway)\r\nIf the user enters the wrong code, a simple message is displayed: “Avval paynet, keyin kod😅“ that translates to\r\n“First paynet then code.”\r\nAnd here comes the strange part, as the code expected by the app is actually the phone number, 998 998 910 312,\r\nwithout the “+” sign. It’s hardcoded into the app, so it’s the same one for anyone foolish enough to install the\r\nmalware.\r\nJust unlocking the phone by entering the right code doesn’t remove the application. It will continue to run in the\r\nmemory until it’s removed. If the user kills the app from memory and reruns it, the phone will be locked once\r\nhttps://www.bitdefender.com/en-us/blog/labs/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage\r\nPage 2 of 4\n\nmore.\r\nYou will also notice a checkbox, with the text “Nimaga telefon blocklandi?”, translating to “Why is the phone\r\nblocked?”. When the checkbox is selected, the following message is shown: “You have installed something\r\nprohibited from the internet on your phone. If you do not PayNet within the specified time, your phone will not\r\nlight up again. ☎️ Get the code by dialing + 998 99 891 03 12 for 8000 PayNet sum! “, 0”.\r\nLessons to be learned\r\nOnce the user runs the malware and locks the phone, it can only be removed via the Android Debug Bridge (adb)\r\nor Safe Mode. If the correct code is entered and the screen unlocked, the app can be removed from the OS as well,\r\nthrough the usual methods.\r\nThe malware is not as aggressive as others, but the fact that’s trying to make use of the coronavirus scare is likely\r\nto help it get more traction.\r\nWhat’s equally interesting about this SLocker malware is the fact that it’s not entirely original. In fact, it’s most\r\nlikely a copy of some older versions; it was just adapted to the COVID-19 pandemic.\r\nWhen we look closer at the file structure, we see there’s an image in “\\res\\drawable\\” named “image_1.png” that\r\nhas a message in Russian, and not in Uzbek. The likely explanation is that it’s leftover from the previous versions\r\nof the screen locker.\r\nhttps://www.bitdefender.com/en-us/blog/labs/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage\r\nPage 3 of 4\n\nThe translation “you were blocked for cheating.”\r\nIn the past few months, the malware was reported in Ukraine, Russia, numerous countries in Central Asia,\r\nincluding Kazakhstan and Turkmenistan, and parts of India and North Africa.\r\nVarious samples with the same package name (Virus or ELOSTORA VIRUS labels), have been identified as well.\r\nHowever, they have no relation to the Coronavirus, but appeared after COVID-19 became a pandemic.\r\nIndicators of compromise:\r\nMD5  First seen on\r\n6e3d57271a1c0e8e79c88d15f3897bab  Nov 30 2019\r\n698aa564ba543d8b0bb247471554672b  Feb 21 2020\r\n1dfc2e6f96727ab1bb37bc5ac303dc62  Mar 09 2020\r\n8fc2e3254eabdfceee843c6bc3367f6c  Mar 09 2020\r\nc89cd578e2a647671ce7254d3fab41dc  Mar 20 2020\r\nSource: https://www.bitdefender.com/en-us/blog/labs/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage\r\nhttps://www.bitdefender.com/en-us/blog/labs/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitdefender.com/en-us/blog/labs/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage"
	],
	"report_names": [
		"android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434279,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/39c636cd90395fa8383d40d020c0bcc4a3c37994.pdf",
		"text": "https://archive.orkl.eu/39c636cd90395fa8383d40d020c0bcc4a3c37994.txt",
		"img": "https://archive.orkl.eu/39c636cd90395fa8383d40d020c0bcc4a3c37994.jpg"
	}
}