Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Jun17
    12:49 pm (UTC-7)   |    by

    The recent introduction of ransomware in the mobile threat landscape was followed by a new development: the usage of TOR to hide C&C communication.

    In our analysis samples we now detect as AndroidOS_Locker.HBT, we found that this malware  shows a user interface that notifies the user that their device has been locked down, and that they need to pay a ransom of 1000 rubles to unlock it. The interface also states that failure to pay would result in the destruction of all data in the mobile device.

    Examples of apps we’ve seen display this routine are found in third-party app stores, bearing names such as Sex xonix, Release, Locker, VPlayer, FLVplayer, DayWeekBar, and Video Player. Non-malicious apps with these names are available from various app stores.

    Here is the warning shown to the user, which is in Russian:

    Figure 1. Warning to user (Click to enlarge)

    Here is a rough translation of the warning:

    For downloading and installing software nelitsenzionnnogo your phone has been blocked in accordance with Article 1252 of the Civil Code of the Russian Federation Defence exclusive rights.

     To unlock your phone pay 1000 rubles.

     You have 48 hours to pay, otherwise all data on your phone will be permanently destroyed!

     1. Locate the nearest terminal payments system QIWI

     2. Approach to the terminal and choose replenishment QIWI VISA WALLET

     3. Enter the phone number 79660624806 and press next

     4. Window appears comment – then enter your phone number without 7ki

     5. Put money into terminal and press pay

     6. Within 24 hours after payment is received, your phone will be unlocked.

     7. So you can pay via mobile shops and Messenger Euronetwork

     CAUTION: Trying to unlock the phone yourself will lead to complete full lock your phone, and the loss of all the information without further opportunities unlock.

    The user will be asked to pay to account 79660624806/79151611239/79295382310 by QIWI or 380982049193 by Monexy within 48 hours. This UI will also keeping popping out, thus preventing the user from being able to use their device properly. At the same time, files on device (both in internal and external storage) with following format are encrypted:

    • jpeg
    • jpg
    • png
    • bmp
    • gif
    • pdf
    • doc
    • docx
    • txt
    • avi
    • mkv
    • 3gp
    • mp4

    While the above-mentioned routines are typical of ransomware, we found that it communicates to its command-and-control server via TOR. Although this is not the first time we’ve seen Android malware use TOR, this is the first ransomware we’ve seen that uses it. Considering the amount of data that users now store in their mobile devices, we predict that this is just the start of the continuous development of mobile ransomware.

    How to Remove this Ransomware?

    For users whose devices are infected with this ransomware, the malicious app can be manually removed through the Android Debug Bridge. The adb is part of the Android SDK, which can be freely downloaded from the Android website. The process would proceed as follows:

    1. Install the Android SDK on a PC, including the adb component.
    2. Connect the affected device via USB to the PC.
    3. Run the following command from the command line:
      adb uninstall “org.simplelocker” 

    This procedure will work without problem for devices with Android versions lower than 4.2.2. For 4.2.2 and later users, however, there is a problem: the phone will prompt the user with a dialog to accept a key to allow debugging. However, the ransomware’s own UI will keep interrupting this, making it difficult to use adb to remove the phone.

    Note that in all cases, the user must have enabled USB debugging on their device before being infected; doing this may be difficult as the steps differ from device to device. In addition, turning USB debugging on is a security risk in and of itself, as it means an attacker who gets physical access to a device can easily get files from it without having to enter information in the Android lockscreen.

    The above step-by-step procedure will remove the ransomware, but not recover any locked files. Recovering the files is difficult, as is the case with ransomware on PCs. We recommend that users recover their files from their backups, whether these are online or offline.

    The SHA1 hashes of the samples used to analyze this attack are as follows:

    • 3313e82160fe574b4d4d83ec157d96980c0e88c4
    • 4824c957b7804d27c56002c93496182c8ec2840d
    • 5a102f0e6238418d8c73173752e20a5914ec4958
    • 725e9553040845d4b7ad2b0fd806597666d61605
    • 808df267f38e095492ebd8aeb4b56671061b2f72
    • 979020806f6fcb8a46a03bb4a4dcefcf26fa6e4c
    • b4bc70e7f046894ef12b5836f70b0318ca7ad06f
    • b5aab4bdb6bbb5914b1860c47080ccb558f07e5b
    • c85e49e0e99c2c0e531f723bf14d84339919985d
    • e6ee6dac2e6bd97c93a6a746442bfc0930e637af




    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Frankie

      Is it possible to remove the malware in Android SafeMode instead of running ADB ?

      • 大和尚

        probably work, i think.

      • TrendLabs

        Hi Frankie,

        Yes, it is possible to remove it in safe mode if the ROM you’re using has safe mode.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice