Android ransomware with a Direct3D DLL
Recently I came across the Android ransomware sample (sha256: c0cb135eef45bb8e411d47904ce638531d53473729c7752dc43c6d55d5ed86f8 ). This sample is interesting for a couple of reasons, but there is one truly bizarre property of this APK file. It has a raw file included, which actually was a Direct3D library signed by Microsoft . Why a Windows-based DLL file is included in the APK file is just beyond me. Anyhow, let's get back to business and have a look at the sample and what it does. Quick look First things first. The app pretends to be a NFS Hot Pursuit Android game, straight from the EA. Both the app name and the icon look like a legitimate game. However, upon running, it displays a screen with an information that your phone has been blocked due to the fact that the user watched child pornography. The ransomware targets both Russians and Ukrainians and has text in both languages. The code below checks whether the SimCountryIso is equal to "ua" and changes the displa...