Let us take a look at what it does.
Ransomware behavior
A user infected with this ransomware will have the following message on their screen repeatedly. It states that your phone has been locked by the authority and you need to pay $300 via MoneyPak to have your phone unlocked.
What is annoying about this ransomware is that it will takeover your screen by periodically showing the message above. This makes your phone unusable because as soon as you do something on your phone, it will override your screen.
How does it work?
LockActivity.class
First, it reads a list of URL from its resource and then loads the url via webview. Webview enables the app to display web pages inside the application. It is those urls that will show the message above. It also starts the LockService class which acts as a watchdog and will always respawn the LockActivity.
The service also sets an alarm that would trigger the LockActivity every 2000 ms.
Suspicious Code
There were many suspicious declaration in the manifest file. First, it uses package name "com.android" which is the default package name for the android system processes. Second, it uses autostarts after boot having a priority of 999. Third, it has two receivers declared as remote which means a separate process. This is done as a watchdog for the application. We can also note that with the declared permission, READ_PHONE_STATE, it gives you a hint that it accesses internet and phone system information (e.g., IMEI, phone number).
Code obfuscation
The malware author included code obfuscation by making the class names similar to each other which is hard for the reverser to read.
Good work. Thank you for sharing with us.
ReplyDeleteMoviebox downloaupdated 2019 version
Moviebox downloaupdated
What are your favourite slots? - Goyangfc
ReplyDeleteHow do you 카지 feel about playing slots? 슬롯사이트 a slot, 피망 포커 다운 or 사이트추천 a 토토꽁머니사이트 game that is the highest quality, or the best and has the biggest jackpot ever!