Reply to topic  [ 3 posts ] 
 Android devices gets first cryptolocker-type malware. 
Author Message
Level 38
Level 38
User avatar

Cash on hand:

Posts: 20853
Joined: Sat Feb 14, 2009 11:44 pm
Group: Sysop
Post Android devices gets first cryptolocker-type malware.
Last weekend saw the (somewhat anticipated) discovery of an interesting mobile trojan – the first spotting of a file-encrypting ransomware for Android by our detection engineers.

Let’s put this all into perspective, so we know what we’re dealing with here…

Almost exactly one year ago, a hybrid comprising characteristics of a rogue AV and ransomware (the lockscreen type, not a file-encryptor) was discovered, calling itself Android Defender, as reported by Symantec. It had all the typical traits of a fake AV and all the typical traits of a lockscreen ransomware – in that it was not actually that trivial to get rid of when a user was not protected by a mobile antivirus, they had to disable it by booting their device into Safe mode. ESET detects that threat as Android/FakeAV. A less aggressive Android Defender without the lockscreen functionality was analyzed by Sophos in May 2013.

Last month the blog Malware don’t need Coffee reported on a police ransomware for Android by the Reveton team. Again, this was an evolutionary migration of a malware type, very prevalent in recent years, from Windows to the Android platform. A connection to Cryptolocker (one of many file-encrypting trojans, which ESET detects as the Win32/Filecoder family, that received an overwhelming amount of media attention and that I have written about here and here) was suggested by Kaspersky. However, that particular police ransomware, detected by ESET as Android/Koler, was neither Cryptolocker, nor did it encrypt any files on the infected device.

The situation has changed however, with this most recent discovery, last weekend, of an Android trojan, detected by ESET as Android/Simplocker. This malware, after setting foot on an Android device, scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files. Let’s look at the malware in greater detail.

After launch, the trojan will display the following ransom message and encrypt files in a separate thread in the background.

The ransom message is written in Russian and the payment demanded in Ukrainian hryvnias, so it’s fair to assume that the threat is targeted against this region. This is not surprising, the very first Android SMS trojans (including Android/Fakeplayer) back in 2010 also originated from Russia and Ukraine. The message roughly translates to:

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography , zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter {REDACTED}.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”

The malware directs the victim to pay using the MoneXy service for obvious reasons, as it is not as easily traceable as using a regular credit card. 260 UAH is roughly 16 EUR or $21 US.

Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them using AES.
Files encrypted by Android/Simplock.A

Files encrypted by Android/Simplock.A

Android/Simplocker.A will also contact its Command & Control server and send identifiable information from the device (like IMEI, et cetera). Interestingly, the C&C server is hosted on a TOR .onion domain for purposes of protection and anonymity.
Figure 3 - Part of the Android/Simplocker.A source code for connecting to the TOR anonymity network

Figure 3 – Part of the Android/Simplocker.A source code for connecting to the TOR anonymity network

As you may notice on the nag-screen above, there is no input field for a payment-confirming code of any kind, as we’ve seen in earlier examples of Windows ransomware. Instead, the malware listens to its C&C server for a command – probably issued after payment is received – to decrypt the files.

The sample we’ve analyzed is in the form of an application called ‘Sex xionix’. It was not found on the official Google Play and we estimate that its prevalence is very low at this time.

Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to “the infamous Cryptolocker” on Windows.

Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.

Instead we encourage users to protect themselves against these threats using prevention and defensive measures. For example, a mobile security app such as ESET Mobile Security for Android will keep malware off your device. Adhering to security best practices, such as keeping away from untrustworthy apps and app sources, will reduce your risks. And if you keep current backups of all your devices then any ransomware or Filecoder trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance.

Sauce: GET


Click the icon to see the image in fullscreen mode  
1 pcs.

Wed Jun 04, 2014 3:06 pm
Profile E-mail WWW
Level 38
Level 38
User avatar

Cash on hand:

Posts: 10363
Joined: Sun Oct 26, 2008 5:47 am
Group: Dev Team
Post Re: Android devices gets first cryptolocker-type malware.
encrypting malware is my biggest fucking nightmare. files gone for-fucking-ever unless you can find the encryption key.

My Pixiv
Spoiler: show

Wed Jun 04, 2014 3:52 pm
Profile E-mail
Level 0
Level 0
User avatar

Cash on hand:
Posts: 4
Joined: Fri Jan 04, 2019 2:26 am
Group: Registered users
Post Re: Android devices gets first cryptolocker-type malware.
Hey I know it might be a pain but can you put hyperlinks referencing the sources of your information plz thx

nvm you copied ad verbatim

Mon Jan 07, 2019 6:42 pm
Profile E-mail
Display posts from previous:  Sort by  
Reply to topic   [ 3 posts ] 

Similar topics

IPhone Alarm Glitch - Which Else Can Devices Be Blamed For?
Forum: ./General Spam
Author: Orange Juice Jones
Replies: 18
the type of shows children should be watching
Forum: ./General Spam
Author: yellowrock
Replies: 3

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Mods Database :: Imprint :: Crawler Feeds :: Reset blocks
Designed by STSoftware for PTF.

Portal XL 5.0 ~ Premod 0.3 phpBB SEO