The recent introduction of ransomware in the mobile threat landscape was followed by a new development: the usage of TOR to hide C&C communication.
In our analysis samples we now detect as AndroidOS_Locker.HBT, we found that this malware shows a user interface that notifies the user that their device has been locked down, and that they need to pay a ransom of 1000 rubles to unlock it. The interface also states that failure to pay would result in the destruction of all data in the mobile device.
Examples of apps we’ve seen display this routine are found in third-party app stores, bearing names such as Sex xonix, Release, Locker, VPlayer, FLVplayer, DayWeekBar, and Video Player. Non-malicious apps with these names are available from various app stores.
Here is the warning shown to the user, which is in Russian:
Figure 1. Warning to user (Click to enlarge)
Here is a rough translation of the warning:
For downloading and installing software nelitsenzionnnogo your phone has been blocked in accordance with Article 1252 of the Civil Code of the Russian Federation Defence exclusive rights.
To unlock your phone pay 1000 rubles.
You have 48 hours to pay, otherwise all data on your phone will be permanently destroyed!
1. Locate the nearest terminal payments system QIWI
2. Approach to the terminal and choose replenishment QIWI VISA WALLET
3. Enter the phone number 79660624806 and press next
4. Window appears comment – then enter your phone number without 7ki
5. Put money into terminal and press pay
6. Within 24 hours after payment is received, your phone will be unlocked.
7. So you can pay via mobile shops and Messenger Euronetwork
CAUTION: Trying to unlock the phone yourself will lead to complete full lock your phone, and the loss of all the information without further opportunities unlock.
The user will be asked to pay to account 79660624806/79151611239/79295382310 by QIWI or 380982049193 by Monexy within 48 hours. This UI will also keeping popping out, thus preventing the user from being able to use their device properly. At the same time, files on device (both in internal and external storage) with following format are encrypted:
While the above-mentioned routines are typical of ransomware, we found that it communicates to its command-and-control server via TOR. Although this is not the first time we’ve seen Android malware use TOR, this is the first ransomware we’ve seen that uses it. Considering the amount of data that users now store in their mobile devices, we predict that this is just the start of the continuous development of mobile ransomware.
How to Remove this Ransomware?
For users whose devices are infected with this ransomware, the malicious app can be manually removed through the Android Debug Bridge. The adb is part of the Android SDK, which can be freely downloaded from the Android website. The process would proceed as follows:
- Install the Android SDK on a PC, including the adb component.
- Connect the affected device via USB to the PC.
- Run the following command from the command line:
adb uninstall “org.simplelocker”
This procedure will work without problem for devices with Android versions lower than 4.2.2. For 4.2.2 and later users, however, there is a problem: the phone will prompt the user with a dialog to accept a key to allow debugging. However, the ransomware’s own UI will keep interrupting this, making it difficult to use adb to remove the phone.
Note that in all cases, the user must have enabled USB debugging on their device before being infected; doing this may be difficult as the steps differ from device to device. In addition, turning USB debugging on is a security risk in and of itself, as it means an attacker who gets physical access to a device can easily get files from it without having to enter information in the Android lockscreen.
The above step-by-step procedure will remove the ransomware, but not recover any locked files. Recovering the files is difficult, as is the case with ransomware on PCs. We recommend that users recover their files from their backups, whether these are online or offline.
The SHA1 hashes of the samples used to analyze this attack are as follows: