There has been a dramatic increase in attacks aimed at smartphones, tablets, and even "smart TVs", mostly targeting the Android ecosystem. Unlike Apple's iOS, Android allows users to use alternate app stores and to "sideload" arbitrary apps onto a device. There are entire marketplaces of "cracked" apps -- unauthorized versions of paid apps distributed for free -- and many thousands more apps that offer malicious payloads in addition to their advertised functionality.
In this post, we'll look at a recent example of a "locker", an application that takes control of a device and demands a ransom payment. Unlike typical PC ransomware, lockers don't encrypt a device's storage, but simply take over the display in a way that is nearly impossible to exit, rendering the device unusable. This particular sample purports to be an app for a popular pornographic site.
Launching the app shows a brief installation screen.
This is followed by an official-looking demand stating that "suspicious files have been found", and that the device is locked until a $500 penalty is paid.
A typical user will find it nearly impossible to exit from this malicious app. To see how the malware authors accomplish this, we first note that the app requests a wide range of permissions.
The highlighted permission, SYSTEM_ALERT_WINDOW, allows the app to display a notification that covers the entire screen and cannot be dismissed. In addition, the app runs a simple service in the background to restart itself when the device is rebooted and in case of crash or termination.
The app gathers information about the user and attempts to take a picture of the victim using the device's front-facing camera. This information is displayed, followed by a sequence of graphic and disturbing pornographic images that were purportedly discovered on the user's device.
Despite this allegation, which is accompanied by the text of various laws concerning illegal pornography, these images are actually part of the malware itself. Here, in the decompiled app's resources, we find these pornographic images among assorted icons and logos:
The app solicits a ransom payment via a OneVanilla prepaid debit card.
In the app's decompiled code, we can see that the application verifies that the credit card entered by the victim has the appropriate prefix for a OneVanilla-issued card:
The app is written in Java, which can often be decompiled back to something similar to the original source code. However, the malware authors appear to have used an automated tool to obfuscate the code and make it more difficult to analyze. Here is the snippet of code that uploads the credit card information to a server controlled by the malware distributor:
Removing the base64 encoding, we start to see hints of the operation in the form of ASCII strings:
With additional manual deobfuscation, we find the code that uploads the credit card information as a parameter in an HTTP GET request:
This GET request failed in our research environment, possibly because the server had already been discovered and taken offline, but we can see the full URL with the credit card number in the app's cache:
Despite the failure, we are told that our "request will be processed in 24 hours":
No information about the device itself was uploaded with the ransom payment. Aside from the credit card number, the malware authors have no way to associate the payment with a particular victim, and there does not appear to be any mechanism to remotely disable the locker.
Sky ATP supports both static and dynamic analysis of Android apps and applies the same machine learning deep-analysis pipeline as for Windows executables, documents, and media files:
Users can avoid most Android malware by downloading apps only from trusted sources. In the event of infection, the locker can be safely stopped and removed by booting into the device's safe mode and manually uninstalling the app: