How does the PornDroid (aka Koler) work?
Recently Kafeine identified a CP ransomware for Android. The idea was the same as with the previously identified one for Windows. Victims were presented with the Child Pornography pictures, their browsing history and their image (snapped from a camera) plus some phone-identifying features. The message said that some FBI/PRISM/NSA or any other entity wants you to pay a "fine" in order to unlock your computer. Pretty standard ransomware, not unlike the one I previously described. But, unlike the one mentioned in previous posts, this one was actually a little more complex. So, if you want a general overview, go to the Kafeine post and I'll present a look under the hood here.
How to do a ransomware?
Well, it's not that easy. As we've seen previously you can just display a message every couple of seconds. We've seen that the previous app used scheduleAtFixedRate function to ensure that the lock message is always displayed. This app also makes sure that it is always visible, but does it using a startActivity at some predefined time. Activity is just a ransomware window. Even if you navigate to some other window, a background service will make sure that the ransmoware is on the top. Take a look at the simple code below that does just that.
That was easy. However, you also have to make sure that you can unlock a phone after user pays the ransom. From what I've seen ransomware cybercriminals make sure that, if the payment was made correctly, your computer or smartphone is unlocked. Previously described app made it by checking the C&C response. This one does it in a different, more interesting way. It exposes a JavaScript API that gives the attacker shell on your phone. Ransom message is just a website, so the attacker can use e.g. AJAX to control your smartphone. JS API is exposed using a JavascriptInterface decorator (or Annotation as it is called in Java) and exposes three methods, as you can see below.
It also uses Interfaces extensively so that you will lost a count of what class represents what. This is a really nice obfuscation technique, which is, coincidentally, also the underlying technology for the Java Spring framework. Other nice feature is the fact that if you try to get rid of the application Device Admin privileges, it will lock your phone and display a message confirming the action (see below).
There is also one other obfuscation technique that was not used in this particular sample, but the code is written in such a way that it made me think of a subtle Java based obfuscation. See, when you have Interfaces in Java you can use any class that implements that Interface. You can also use reflection to load that class (so that you don't have those pesky imports). Now, let's assume that you have several implementations of one Interface - as it is usually a case. Now, you start an activity using an Intent and send the appropriate location of the class that implements Interface as that Intent parameter.
Not only that, but you can take it one step further. Instead of simply sending a fully qualified class name, you can send a hash of class name. Then just go trough every class name and compare it with hash. This is a variation of the technique used in Windows malware to load DLLs or DLL functions. The researchers will have no idea which class you are using. However, unlike in the case of Windows malware you still have an Interface to interact with, so you will have those IDE tips and auto-completion. Win-win, right?
That was easy. However, you also have to make sure that you can unlock a phone after user pays the ransom. From what I've seen ransomware cybercriminals make sure that, if the payment was made correctly, your computer or smartphone is unlocked. Previously described app made it by checking the C&C response. This one does it in a different, more interesting way. It exposes a JavaScript API that gives the attacker shell on your phone. Ransom message is just a website, so the attacker can use e.g. AJAX to control your smartphone. JS API is exposed using a JavascriptInterface decorator (or Annotation as it is called in Java) and exposes three methods, as you can see below.
Some tricks
This malware uses also some "encryption" tricks like reversing strings represented as bytes (see below).
It also uses Interfaces extensively so that you will lost a count of what class represents what. This is a really nice obfuscation technique, which is, coincidentally, also the underlying technology for the Java Spring framework. Other nice feature is the fact that if you try to get rid of the application Device Admin privileges, it will lock your phone and display a message confirming the action (see below).
There is also one other obfuscation technique that was not used in this particular sample, but the code is written in such a way that it made me think of a subtle Java based obfuscation. See, when you have Interfaces in Java you can use any class that implements that Interface. You can also use reflection to load that class (so that you don't have those pesky imports). Now, let's assume that you have several implementations of one Interface - as it is usually a case. Now, you start an activity using an Intent and send the appropriate location of the class that implements Interface as that Intent parameter.
Not only that, but you can take it one step further. Instead of simply sending a fully qualified class name, you can send a hash of class name. Then just go trough every class name and compare it with hash. This is a variation of the technique used in Windows malware to load DLLs or DLL functions. The researchers will have no idea which class you are using. However, unlike in the case of Windows malware you still have an Interface to interact with, so you will have those IDE tips and auto-completion. Win-win, right?
Comments
Post a Comment