Tuesday, June 10, 2014

SimpleLocker: Android version of Cryptolocker

In our previous blog about ransomware in android, we talked about how the windows malware are slowly shifting to mobile. Just this week, a new android malware called Simplelocker emerged and it does work similar to the windows Cryptolocker malware.

Let us take a look at the functionality of this malware.

The sample we are going to analyze is found contagiominidump.blogspot.com.

The app when installed has the following icon:











When executed, it will display the following which also locks your screen.




























The message states that the user's device is locked and you must pay 260 UAH using the service MoneXy to unlock the device.

This malware has a service that starts two scheduled tasks and one thread. The first task is for C&C communication and the second task is for screen locker. The created thread is for encrypting files in the SD card.




C&C Communication

The first scheduled task is set to repeat every 180 seconds. Its purpose is to contact its C&C server via TOR service and check with the server if the infected user has already paid. It sends the following information as part of the check:

  • Device Id
  • Client Number (could be equal to bot id)
  • Type



It send it to "http://xeyocsu7fu2vjhxs.onion/" and check for the "stop command" from the C&C server which directs the app to unlock the device and decrypt the files.




Screen Locker

The second task is set to repeat every 1 second and it just restarts the main activity which displays the lock message and thus locks your screen.



File Encryptor

The file encryptor thread will look for specific files in the SD card and encrypt them using AES-256. It is looking for the files with extensions, jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, and mp4.  Encrypted files are appended with .enc extensions. The key is hardcoded in the app unlike the cryptolocker in which the key used in encrypting files is further encrypted using an RSA-2048 public key coming from the C&C server. . It also includes a decrypt function which executed when it receives the "stop command" from the C&C server.








1 comment: