• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   Android Ransomware Uses TOR

Android Ransomware Uses TOR

  • Posted on:June 17, 2014 at 12:49 pm
  • Posted in:Mobile, Ransomware
  • Author:
    Weichao Sun (Mobile Threats Analyst)
3

The recent introduction of ransomware in the mobile threat landscape was followed by a new development: the usage of TOR to hide C&C communication.

In our analysis samples we now detect as AndroidOS_Locker.HBT, we found that this malware  shows a user interface that notifies the user that their device has been locked down, and that they need to pay a ransom of 1000 rubles to unlock it. The interface also states that failure to pay would result in the destruction of all data in the mobile device.

Examples of apps we’ve seen display this routine are found in third-party app stores, bearing names such as Sex xonix, Release, Locker, VPlayer, FLVplayer, DayWeekBar, and Video Player. Non-malicious apps with these names are available from various app stores.

Here is the warning shown to the user, which is in Russian:

Figure 1. Warning to user (Click to enlarge)

Here is a rough translation of the warning:

For downloading and installing software nelitsenzionnnogo your phone has been blocked in accordance with Article 1252 of the Civil Code of the Russian Federation Defence exclusive rights.

 To unlock your phone pay 1000 rubles.

 You have 48 hours to pay, otherwise all data on your phone will be permanently destroyed!

 1. Locate the nearest terminal payments system QIWI

 2. Approach to the terminal and choose replenishment QIWI VISA WALLET

 3. Enter the phone number 79660624806 and press next

 4. Window appears comment – then enter your phone number without 7ki

 5. Put money into terminal and press pay

 6. Within 24 hours after payment is received, your phone will be unlocked.

 7. So you can pay via mobile shops and Messenger Euronetwork

 CAUTION: Trying to unlock the phone yourself will lead to complete full lock your phone, and the loss of all the information without further opportunities unlock.

The user will be asked to pay to account 79660624806/79151611239/79295382310 by QIWI or 380982049193 by Monexy within 48 hours. This UI will also keeping popping out, thus preventing the user from being able to use their device properly. At the same time, files on device (both in internal and external storage) with following format are encrypted:

  • jpeg
  • jpg
  • png
  • bmp
  • gif
  • pdf
  • doc
  • docx
  • txt
  • avi
  • mkv
  • 3gp
  • mp4

While the above-mentioned routines are typical of ransomware, we found that it communicates to its command-and-control server via TOR. Although this is not the first time we’ve seen Android malware use TOR, this is the first ransomware we’ve seen that uses it. Considering the amount of data that users now store in their mobile devices, we predict that this is just the start of the continuous development of mobile ransomware.

How to Remove this Ransomware?

For users whose devices are infected with this ransomware, the malicious app can be manually removed through the Android Debug Bridge. The adb is part of the Android SDK, which can be freely downloaded from the Android website. The process would proceed as follows:

  1. Install the Android SDK on a PC, including the adb component.
  2. Connect the affected device via USB to the PC.
  3. Run the following command from the command line:
    adb uninstall “org.simplelocker” 

This procedure will work without problem for devices with Android versions lower than 4.2.2. For 4.2.2 and later users, however, there is a problem: the phone will prompt the user with a dialog to accept a key to allow debugging. However, the ransomware’s own UI will keep interrupting this, making it difficult to use adb to remove the phone.

Note that in all cases, the user must have enabled USB debugging on their device before being infected; doing this may be difficult as the steps differ from device to device. In addition, turning USB debugging on is a security risk in and of itself, as it means an attacker who gets physical access to a device can easily get files from it without having to enter information in the Android lockscreen.

The above step-by-step procedure will remove the ransomware, but not recover any locked files. Recovering the files is difficult, as is the case with ransomware on PCs. We recommend that users recover their files from their backups, whether these are online or offline.

The SHA1 hashes of the samples used to analyze this attack are as follows:

  • 3313e82160fe574b4d4d83ec157d96980c0e88c4
  • 4824c957b7804d27c56002c93496182c8ec2840d
  • 5a102f0e6238418d8c73173752e20a5914ec4958
  • 725e9553040845d4b7ad2b0fd806597666d61605
  • 808df267f38e095492ebd8aeb4b56671061b2f72
  • 979020806f6fcb8a46a03bb4a4dcefcf26fa6e4c
  • b4bc70e7f046894ef12b5836f70b0318ca7ad06f
  • b5aab4bdb6bbb5914b1860c47080ccb558f07e5b
  • c85e49e0e99c2c0e531f723bf14d84339919985d
  • e6ee6dac2e6bd97c93a6a746442bfc0930e637af
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidmobile malwareransomwareTor

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.