Trend Micro researchers detected a new SLocker variant that mimics the GUI of the WannaCry crypto-ransomware on the Android platform. Detected as ANDROIDOS_SLOCKER.OPSCB, this new SLocker mobile ransomware variant features new routines that utilize features of the Chinese social network QQ, along with persistent screen-locking capabilities.
SLocker, an Android file-encrypting ransomware first detected and analyzed in July, was found mimicking WannaCry’s GUI. Although Chinese police already arrested the ransomware’s alleged creator, other SLocker operators clearly remained unfazed.
Victims mostly contracted the mobile ransomware from QQ chat groups that discuss the popular gaming app ‘王者荣耀’ or King of Glory, which was also the previous variant’s infection vector. It poses as a set of game cheating tools, hiding under the names ‘钱来了’ or ‘Here comes money,’, and ‘王者荣耀修改器’ or ‘Modifiers for King of Glory.’ The game is immensely popular in China, with 200 million registered users.
Samples of the variant were packaged as “com.android.admin.hongyan” (hongyan means ‘beauty’) and “com.android.admin.huanmie” (huanmie means ‘disillusionment’). ‘Hongyan’ and ‘huanmie’ are terms widely used in Chinese novels that are popular with teenagers.
Figure 1. Screenshot of the ransom note
Figure 2. Screenshot of decrypted files. In English, ‘文件已被幻灭劫持” means the files are locked by Disillusionment.
Additional Features of the New Variant
Aside from the GUI, which also has a few design changes, and its ability to change the wallpaper of the device once the fake tool is run, this new SLocker variant doesn’t share any other similarities with its predecessor. Unlike ANDROIDOS_SLOCKER.OPST, the new variant was created using the Android integrated development environment (AIDE), a program used to develop Android apps directly on an Android device. It is important to note that using AIDE makes it easier for ransomware operators to develop simple Android Package Kits (APKs), and the convenience it provides can attract newcomers to develop their own variants.
In fact, the ‘ADDING GROUP’ text located at the bottom of the ransom note in Figure 1 redirects victim to a QQ forum that discusses the processes of creating a ransomware in exchange for money.
Figure 3. Screenshot of the QQ group page
The page is titled ‘锁机幼稚园,’ or Lock-Phone Kindergarten, and was created May 16, 2017. The description claims that the main function of the group is to teach and discuss how to lock access to phones, and that source codes will be updated continuously. At the bottom of the page, there’s a button that says ‘request to join this group.’
Apart from that, there’s another text on the ransom note, ‘CONTACT US’, which the previous mobile ransomware didn’t have. By clicking it, the victim’s QQ chat window will pop up, supposedly to allow the ransomware operator to communicate with the victim on how to decrypt the files.
Navigating the QQ profile page of the supposed ransomware operator, there’s also a text post claiming that in order to decrypt files, the victim must follow the instructions to be provided by an unidentified person during an incoming call.
Figure 4. QQ chat window between the victim and the ransomware operator
In addition, it uses a legitimate cloud storage service (bmob), which the ransomware operator can abuse to change the decrypt key.
Figure 5. The new variant’s package structure
How the SLocker variant encrypts files
Despite appearing more advanced with its new additional routines, this variant actually uses a less sophisticated encryption process. While its predecessor used HTTP, TOR or XMPP to communicate with C&C remote servers, this variant doesn’t even use any C&C communication technology.
When executed, it carelessly targets all file types in the SD card, including the cache, system log, and tmp files, which are relatively insignificant to mobile users. The previous variant excludes the aforementioned files in its encryption process, choosing only important ones like Microsoft Office documents, as well as video and image file formats. Based on the samples, the variant appears to have used the AES encryption algorithm, and the obsolete DES encryption algorithm, which is another sign of its incompetence.
Figure 6. Snippet of code showing the DES encryption algorithm
Persistent screen-locking features
Perhaps to make up for the minor flaw of encrypting all file types in the SD card, it compensates in its ability to lock access to the screen. If victims click the decryption button in the ransom note, the device administrator UI will appear and will persistently hijack the screen whenever victims click the cancellation button. If victims click the activation button, the variant will set or reset the device’s PIN, locking access to the screen as well.
Figure 7. Screenshot of the device administrator UI
Figure 8. Screenshot of the PIN locker
Solutions and Recommendations
While this new SLocker variant features a relatively flawed encryption process, the new capabilities it possess should caution QQ subscribers and mobile gamers of the growing sophistication of ransomware operators’ attack tactics. The increasing proliferation of new variants shows that threat actors are not slowing down.
Here are tips on how to prevent ransomware from infecting your mobile devices:
- Only install apps downloaded from legitimate app stores such as Google Play
- Be careful about permissions an app asks for, especially those that allow the app to read/write on external storage
- Back up your data regularly—either on another secure device or on cloud storage
- Install comprehensive antivirus solutions. Mobile security solutions such as Trend Micro™ Mobile Security blocks threats from app stores before they can be installed and cause damage to devices, while Trend Micro™ Maximum Security offers in-depth protection for multiple devices and proactively secures them from the threat of ransomware.
Indicators of Compromise (IOCS)