Android ransomware with a Direct3D DLL
Recently I came across the Android ransomware sample (sha256: c0cb135eef45bb8e411d47904ce638531d53473729c7752dc43c6d55d5ed86f8). This sample is interesting for a couple of reasons, but there is one truly bizarre property of this APK file. It has a raw file included, which actually was a Direct3D library signed by Microsoft. Why a Windows-based DLL file is included in the APK file is just beyond me. Anyhow, let's get back to business and have a look at the sample and what it does.
Quick look
First things first. The app pretends to be a NFS Hot Pursuit Android game, straight from the EA. Both the app name and the icon look like a legitimate game. However, upon running, it displays a screen with an information that your phone has been blocked due to the fact that the user watched child pornography. The ransomware targets both Russians and Ukrainians and has text in both languages. The code below checks whether the SimCountryIso is equal to "ua" and changes the displayed text accordingly.
The "fine" that has to be paid is equal to either 100 hryvnia (8 dollars!) or 500 ruble (~ 13 USD). The fine has to be paid by either the QIWI VISA WALLET, which is a kind of prepaid wallet popular in Russia or by (and this is the fun part) adding funds to a prepaid phone! There is an instruction included on how to add funds to that phone. This instruction is provided below. I don't know either Ukrainian or Russian, but I used Google Translate and so can you!
1. Найдите ближайший терминал.
2. Подойдите к терминалу и выберете пополнение счета
3. Введите номер телефона +380685815686 и нажмите далее
4. Вставьте деньги в купюроприемник и нажмите оплатить
5. В течении 180 минут после поступления платежа ваш телефон будет разблокирован.
ВНИМАНИЕ: Попытки разблокировать телефон самостоятельно приведут:
К полной блокировке вашего телефона и потери всей важной информации(фотографии, видео, музыка).
Без дальнейшей возможности разблокирования и восстановления данных.
What is also quite interesting is that the number above is provided in plaintext, while the Russian number is encrypted inside the code. So how does the locking actually work? It's plain and simple. First, we set up an ExecutorService and call the scheduleAtFixedRate function. Every second an activity is run. This activity is responsible for displaying the ransom demand above.
The second scheduled task checks a URL address. It does so by sending a randomly generated number with device ID using a GET request. If it receives a 200 response code it sets a "STOPE" flag and the application is harmless. That's the whole "protocol".
As for the persistence methods it just uses the BOOT_COMPLETED intent to start the activity. It also uses a WakeLock to ensure that the user does not switch off the device. The fun part is the use of the ACTION_EXTERNAL_APPLICATIONS_AVAILABLE. It's an Intent, which is broadcast when any new set of packages becomes available, e.g. when user installs an app. This probably prevents user from changing the app context, but it's just a guess.
The "fine" that has to be paid is equal to either 100 hryvnia (8 dollars!) or 500 ruble (~ 13 USD). The fine has to be paid by either the QIWI VISA WALLET, which is a kind of prepaid wallet popular in Russia or by (and this is the fun part) adding funds to a prepaid phone! There is an instruction included on how to add funds to that phone. This instruction is provided below. I don't know either Ukrainian or Russian, but I used Google Translate and so can you!
1. Найдите ближайший терминал.
2. Подойдите к терминалу и выберете пополнение счета
3. Введите номер телефона +380685815686 и нажмите далее
4. Вставьте деньги в купюроприемник и нажмите оплатить
5. В течении 180 минут после поступления платежа ваш телефон будет разблокирован.
ВНИМАНИЕ: Попытки разблокировать телефон самостоятельно приведут:
К полной блокировке вашего телефона и потери всей важной информации(фотографии, видео, музыка).
Без дальнейшей возможности разблокирования и восстановления данных.
What is also quite interesting is that the number above is provided in plaintext, while the Russian number is encrypted inside the code. So how does the locking actually work? It's plain and simple. First, we set up an ExecutorService and call the scheduleAtFixedRate function. Every second an activity is run. This activity is responsible for displaying the ransom demand above.
The second scheduled task checks a URL address. It does so by sending a randomly generated number with device ID using a GET request. If it receives a 200 response code it sets a "STOPE" flag and the application is harmless. That's the whole "protocol".
As for the persistence methods it just uses the BOOT_COMPLETED intent to start the activity. It also uses a WakeLock to ensure that the user does not switch off the device. The fun part is the use of the ACTION_EXTERNAL_APPLICATIONS_AVAILABLE. It's an Intent, which is broadcast when any new set of packages becomes available, e.g. when user installs an app. This probably prevents user from changing the app context, but it's just a guess.
Summary
As you have seen this app is rather simple. Well, it's very primitive even. However it still is virtually undetected (2 AVs from VirusTotal detected it as of 29 September). This fact, combined with a really low ransom demand, can bring a success to the malware campaign.
Adding funds to a prepaid phone? Really?!
Comments
Post a Comment