Monday, July 6, 2015

Fake Cryptolocker for Android




Famous file encoder, Cryptolocker, ransomware Trojan targeting Microsoft Windows first appeared in September 2013. Cryptolocker encrypted all files on disk requesting from $300 to $500 for device. Not long after, the first file encrypting Trojan – Android/Simplocker was discovered on Android platform in the half of the 2014. Simplocker spread very quickly but it is not as famous and scary as Cryptolocker. Few days ago I came across first fake Cryptolocker parasitizing on its more known Windows equivalent.
Malware creator misused this (un)popular name – Cryptolocker, to create illusion that users personal files stored on device are encrypted and only way to decrypt them is to pay a ransom. In this case malware author didn’t encrypt files. Requested ransom is 100USD to be paid within 5 days.
One interesting thing is that this fake Cryptolocker is not developed to target devices situated in Russia. If user device is located in the Russia, malicious functionality will not be triggered.


Analysis

This ransomware is probably created in Russia based on server malware tries to reach. As I mentioned earlier if country code for this locale is Russia then device will not be locked. Locker text is written in English requesting American Dollars paid by PayPal Money Cash Card. 

Figure 1 Locale check

Similar Anti-Russian checks are implemented in all broadcast receivers.
Typical strategy is to act as regular trustworthy application. App also requests to activate Device Administrator.

Figure 2 Malware execution


After activating will malware lock the device and requests a ransom.

Figure 3 Device locked by fake Cryptolocker

Ransomware communicates with server first by registering the device on attacker server by sending device unique ID’s. User device is contacting server each 60 seconds whether to unlock it or not. Trojan is not file encrypting malware so decrypting is not needed. 

Figure 4 Device registration on server
 
After that encrypted html data are received from server decrypted and loaded into WebView. Received data are encrypted by BASE64.

Figure 5 Received encrypted HTML

This malicious application you will not find on official Google Play store. These Trojans can get to your device by typical phishing as regular highly downloaded applications or famous games with similar or even identical name and icon.


More information

Package name: com.lock
App name: Addobe Flash
Server: hxxp://185.4.66.91/index.php/gateway/


2 comments:

  1. thx for info... keep writing and giving us an information... glhf for ur day!!!

    ReplyDelete
  2. Love it! I like this topic.This site has lots of advantage.I found many interesting things from this site. It helps me in many ways.Thanks for posting this again.Work Lockers

    ReplyDelete