Another mobile phone ransomware appeared: no ransom data will be permanently destroyed

Recently, Trend Micro found a malware: if the user does not give "ransom", the virus will make the phone into a "brick." Recently, new ransomware will use the Tor (the Onion Router) anonymous service to hide C&C communications.

Based on the analysis of ANDROIDOS_LOCKER.HBT samples detected by Trend Micro, we found that the malware would display a screen informing the user that the device had been locked and was required to pay a ransom of 1000 rubles to unlock it. The picture also shows that if the user refuses to pay, all the data on the phone will be destroyed.

The sample of applications that we see will appear in the third-party app Store, with the names of the thieves: Sex Xonix, Release, Locker, Vplayer, Flvplayer, Dayweekbar, and video Player. Non-malicious version numbers using these names can be downloaded from a variety of different application stores.

(Figure I, the user's warning message, using Russian)

A rough translation of the warning message is:

"Thanks to the download and installation of the software Nelitsenzionnnogo, your phone has been locked in accordance with the 1252th article of the Military Code of the Russian Federation. To unlock your phone, you will be charged 1000 rubles. You have 48 hours to pay, otherwise all the data on your phone will be permanently destroyed!

1, find the recent QIWI Terminal payment system

2. Use the terminal machine and select the supplemental Qiwi VISA WALLET

3. Enter the number 79660624806, and then press Next

4. The message form will appear: Enter your number to remove 7ki

5. Put the money in the terminal and press pay

6. Your phone will be unlocked within 24 hours of receiving payment.

7. You can pay through the action store and Messenger Euronetwork

Note: trying to unlock your phone will cause your phone to be completely locked and all the missing data will not be restored. ”

The user is required to pay the account 79660624806/79151611239/79295382310 within 48 hours with Qiwi, or by monexy payment to account 380982049193.

This screen will continue to appear, not allow users to use their mobile phone. At the same time, the format is: Jpeg, jpg, PNG, BMP, GIF, PDF, doc, docx, TXT, AVI, MKV, 3GP, MP4 files will also be encrypted.

Ransomware ransomware will control the server's communications device through Tor. While this is not the first time that Trend Micro has seen the use of Tor for Android malware, it is the first ransomware to take advantage of Tor as seen by Trend Micro. Thinking about the amount of data that users now store on their phones, Trend Micro predicts that mobile ransomware like ransomware will continue to evolve.

For users infected with this ransomware, the malicious application can be manually removed via Android Debug Bridge. ADB is part of the Android SDK and can be downloaded free of charge from the Android site. Steps such as the following:

1. Install the Android SDK on your PC, including ADB components

2. Connect an infected phone to your computer via USB

3. Run at command line: adb uninstall "org.simplelocker" directive

These steps are not a problem for phones with Android version numbers below 4.2.2. However, for 4.2.2 and later version number of the user has a problem: The phone will jump out of the dialog box to prompt the user button has agreed to remove the error. However, the interface of the ransomware ransomware itself will be interrupted, making it very difficult for the phone to use ADB for removal.

It is also important to note that in these cases, the user must enable the USB removal error before their phone is infected, but it is difficult to do so because these steps may not be the same on different phones. In addition, enabling the USB removal error itself is a security risk because it means that it is easy to get user information from the attacker if it is assumed to be able to get the phone, without having to enter data on the Android lock screen.

The above steps can remove the ransomware ransomware, but cannot recover the locked file. We recommend that users use a backup to recover files, whether online or offline.

(Figure II, sample SHA1 hash value analysis for this attack)

To learn about Trend Micro, please click on the link:http://www.trendmicro.com.cn/cn/

Another mobile phone ransomware appeared: no ransom data will be permanently destroyed