Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Mobile Malware and Sky ATP
Feb 20, 2018

There has been a dramatic increase in attacks aimed at smartphones, tablets, and even "smart TVs", mostly targeting the Android ecosystem. Unlike Apple's iOS, Android allows users to use alternate app stores and to "sideload" arbitrary apps onto a device. There are entire marketplaces of "cracked" apps -- unauthorized versions of paid apps distributed for free -- and many thousands more apps that offer malicious payloads in addition to their advertised functionality. 

 

In this post, we'll look at a recent example of a "locker", an application that takes control of a device and demands a ransom payment. Unlike typical PC ransomware, lockers don't encrypt a device's storage, but simply take over the display in a way that is nearly impossible to exit, rendering the device unusable. This particular sample purports to be an app for a popular pornographic site.

 

icon.png

 

Infection

Launching the app shows a brief installation screen.

 

install.png

 

This is followed by an official-looking demand stating that "suspicious files have been found", and that the device is locked until a $500 penalty is paid.

 

fbi.png

 

Analysis

A typical user will find it nearly impossible to exit from this malicious app. To see how the malware authors accomplish this, we first note that the app requests a wide range of permissions.

 

permissions.png

 

The highlighted permission, SYSTEM_ALERT_WINDOW, allows the app to display a notification that covers the entire screen and cannot be dismissed. In addition, the app runs a simple service in the background to restart itself when the device is rebooted and in case of crash or termination.

 

The app gathers information about the user and attempts to take a picture of the victim using the device's front-facing camera. This information is displayed, followed by a sequence of graphic and disturbing pornographic images that were purportedly discovered on the user's device.

 

info.png

 

Despite this allegation, which is accompanied by the text of various laws concerning illegal pornography, these images are actually part of the malware itself. Here, in the decompiled app's resources, we find these pornographic images among assorted icons and logos:

 

resources.png

 

The app solicits a ransom payment via a OneVanilla prepaid debit card.

 

payment.png

 

In the app's decompiled code, we can see that the application verifies that the credit card entered by the victim has the appropriate prefix for a OneVanilla-issued card:

 

cc_validation.png

 

The app is written in Java, which can often be decompiled back to something similar to the original source code. However, the malware authors appear to have used an automated tool to obfuscate the code and make it more difficult to analyze. Here is the snippet of code that uploads the credit card information to a server controlled by the malware distributor:

 

http_obf.png

 

Removing the base64 encoding, we start to see hints of the operation in the form of ASCII strings:

 

http_partunobf.png

 

With additional manual deobfuscation, we find the code that uploads the credit card information as a parameter in an HTTP GET request:

 

http_unobf.png

 

This GET request failed in our research environment, possibly because the server had already been discovered and taken offline, but we can see the full URL with the credit card number in the app's cache:

 

cc_url.png

 

Despite the failure, we are told that our "request will be processed in 24 hours":

 

processed.png

 

No information about the device itself was uploaded with the ransom payment. Aside from the credit card number, the malware authors have no way to associate the payment with a particular victim, and there does not appear to be any mechanism to remotely disable the locker.

 

Detection

Sky ATP supports both static and dynamic analysis of Android apps and applies the same machine learning deep-analysis pipeline as for Windows executables, documents, and media files:

 

verdict.png

 

Remediation 

 

Users can avoid most Android malware by downloading apps only from trusted sources. In the event of infection, the locker can be safely stopped and removed by booting into the device's safe mode and manually uninstalling the app:

 

Screenshot_1507659669.png

 

 

 

Feb 20, 2018
Christopher46

My android got this and im still unsure on how to get rid of this. Is this all fake FBI stuff? I'm really scared and I haven't tried any of this stuff on purpose.

Feb 20, 2018
Christopher46

Please help i'm really confused and i cant get rid of this stupid app.

Top Kudoed Authors