Reserve paperSamir Mody K7 ComputingDhanalakshmi V K7 Computing The recent Android ransomware Koler/Simple Locker, despite leaving the device's contents unencrypted, necessitated special manual cleanup actions or dedicated cleanup tools from AV companies. The reason for this was very simple. The malware, granted Device Administrator status through clever social engineering, registers callbacks to Android OS daemon broadcasts, and persistently reacts first to these stimuli such that a splash screen with ransomware demands is displayed before the hapless user has the opportunity to access the GUI of the installed AV solution to effect a scan and cleanup. This behaviour even survives a reboot. It is possible to recover from this unenviable situation by returning the device to factory settings, fiddling about with buttons to obtain 'safe mode', uninstalling the malware via the ADB, or by using dedicated tools, but these options are far from ideal for the device's owner. The simple example above demonstrates the ease with which mobile security solutions can be rendered impotent even when the malware can be detected with ease. It sets a dangerous precedent for dealing with far more obdurate malware including those that could burrow deep into the OS. We ought not to wait for these scenarios before acting. This presentation will demo a sample of Koler in action, highlighting the difficulties faced in attempting to clean the infection. We investigate the Android OS daemon broadcast framework and boot mechanism in detail, identifying stages which could present opportunities for malware to 'hook' into, highlighted by an analysis of the Koler code which registers the callbacks to display the splash screen within intervals of a couple of seconds. Finally, we propose an updated boot and broadcast framework that would enable trusted applications such as mobile security apps to launch before any other application, thus strengthening the hand of AV companies in the absence of a bona fide Real-Time Scanning ability on Android.Click here for more details about the conference.