Recently discovered Android/Simplelocker and Android/Lockerpin.A. Have been reportedly spreading and infecting a lot of Android Users. These Ransomwares are getting more sophisticated and complex with each new discovered variant.
Simplelocker isn't going to be that 'simple', huh?
Yup. Simplelocker has been dubbed THE first Ransomware that actually encrypted user files. Previous 'supposedly' ransomwares were just either screen lockers or scareware that never really encrypted a user's files.
New variants of the Simplelocker have been reported to check the user's current location. If the current user is at another country other than USA or Russia(which uses either a FBI or NSA themed ransom message), the malware will use a localized version of the message instead.
Currently, the latest variant of the Simplelocker is more sophisticated than its predecessor mainly because it generates unique keys for each infected device, making it harder for antivirus softwares to decrypt infected devices.
Let's get technical!
Simplelocker poses as a legitimate Flash Player app and when installed it will request the user to grant it administrator rights. If the user grants the malware's request, it will immediately use social engineering to deceive the user into paying a ransom(usually ranges from $200 or so) to unlock the device and decrypt the files it encrypted. The malicious app will claim that they are the FBI or NSA and that they have found suspicious files on the user's device that violates copyright laws or the user has been found guilty of wrong-doings such as browsing pornographic websites.
Is this true? Simplelocker really encrypts my files?
Yes. Once Simplelocker is installed and executed, the malware will load an internal configuration from an encrypted string embedded within its code. The configuration contains details required by the malware regarding how to handle C&C commands and as well as the initial parameters for communication with the C&C. It will also contain XMPP user accounts and passwords.
The configuration is divided into two parts:
- Data that the malware uses
- Server commands and how they should be handled by the malware
The malware uses shadow accounts in the configuration section to send an initial message to the C&C server. The initial message will contain the infected device's BUILD_ID, AFFILIATE_ID, IMEI, OS_Version, OperatorName, PhoneNumber and Country. The C&C server will then give a response(which typically contains new XMPP accounts and various other commands) to the malware before it changes its configuration.
After the initial message has been successfully sent, the malware will send periodic messages(usually 60-150 minute intervals) which contains the BOT_ID value as identification along with a flag which indicates if a file is encrypted or decrypted.
If the user decides to pay the ransom and enters a voucher code, the malware will send a message to the C&C server with the voucher information. The malware will then wait for the server's response with the additional command to decrypt the user's files. Oh, and FYI the ransom money won't really be sent to the Feds or NSA people but only to the malware dev.
However, if the user does not believe the malware's ransom. And somehow has been able to 'remove' the malware, their files would still remain encrypted.
 |
| Simplelock's sample ransom note |
 |
| Simplelock's sample mode of payment page |
Another new Ransomware but with a twist
Lockerpin has been dubbed by ESET as THE first known Android lock-screen-type ransomware that sets the infected PIN lock.
What sets Lockerpin apart from previous LockScreen Trojans?
Well, previous LockScreen trojans' screen-locking functionality were usually achieved by constantly bringing the ransom window to the foreground in an infinite loop. Some self-defense mechanisms were implemented to keep the user from accessing their device without paying the malware's ransom. However, those malwares will not be too difficult to remove by unlocking the infected device via Android Debug Bridge(ADB) or by deactivating Administrator rights and uninstalling the malware in Safe Mode.
With Lockerpin, on the other hand, users will have no effective way of regaining access to their infected devices without root privileges or without a certain form of security management solution(aka antivirus software) installed. Users may be able to get their infected devices back by doing factory reset but that would delete all their data. (poor user. :( )
How does Lockerpin work, anyways?
Good question. And I have an answer to that. Android/Lockerpin.A comes from third-party market places, torrents, forums, etc(as long as it's not from the official Google Play Store). disguised as an update. And when users install this update, the malware will try to trick the user and obtain Device Administrator privileges.
 |
| Lockerpin's trying to trick the user to give it Admin Rights |
 |
| Lockerpin's fake FBI note page 1 |
 |
| Lockerpin's fake FBI note page 2 |
After displaying the fake FBI message onscreen, the malware will lock the user's device. Users may attempt to remove the malware by accessing Safe Mode or Android Debug Bridge(ADB). However, after any ransom activity, the PIN will be reset and neither the user nor the malware dev will be able to unlock the infected device.
But.... but why?!
It's because Lockerpin generates random PINs and does not keep a record of any generated code. The only way the user can unlock their device is by resetting the infected device to factory default but only if the device is rooted. Because if the infected device is not rooted, the device will be permanently locked unless it has root privileges.
Article Refs: [For Simplelocker] http://news.softpedia.com/news/simplocker-android-ransomware-returns-now-poses-as-the-nsa-490859.shtml, http://blog.checkpoint.com/2015/08/31/global-xmpp-android-ransomware-campaign-hits-tens-of-thousands-of-devices/ and https://blog.avast.com/2015/02/10/mobile-crypto-ransomware-simplocker-now-on-steroids/
[For Lockerpin] http://news.softpedia.com/news/android-ransomware-changes-lock-screen-pin-with-a-random-number-491458.shtml and http://www.welivesecurity.com/2015/09/10/aggressive-android-ransomware-spreading-in-the-usa/
No comments:
Post a Comment