Recently, Trend Micro found a malware: if the user does not give "ransom", the virus will make the phone into a "brick." Recently, new ransomware will use the Tor (the Onion Router) anonymous service to hide C&C communications.
Based on the analysis of ANDROIDOS_LOCKER.HBT samples detected by Trend Micro, we found that the malware would display a screen informing the user that the device was locked and needed to pay a ransom of 1000 rubles to unlock it. This screen also shows: If the user refuses to pay, then all the data on the phone will be destroyed.
Samples of the applications that we see appear in the third-party app Store, where the names of the thieves are: Sex Xonix, Release, Locker, Vplayer, Flvplayer, Dayweekbar, and video Player. Non-malicious versions of software that use these names can be downloaded from a variety of different app stores.
(Figure I, the user's warning message, using Russian)
A rough translation of the warning message is:
"Because downloading and installing software Nelitsenzionnnogo, your phone has been locked in accordance with the 1252th article of the Military Code of the Russian Federation. To unlock your phone, you will be charged 1000 rubles. You have 48 hours to pay, otherwise all data on your phone will be permanently destroyed!
1. Find the nearest QIWI Terminal payment system
2. Use the terminal machine and select the supplemental Qiwi VISA WALLET
3. Enter the number 79660624806, and then press Next
4. The message window will appear: Enter your number to remove 7ki
5. Put the money in the terminal and press pay
6. Your phone will be unlocked within 24 hours of receiving payment.
7. You can pay through the action store and Messenger Euronetwork
Note: Attempting to unlock the phone yourself will cause the phone to be completely locked and all vanishing data will not be restored. ”
The user is required to pay the account 79660624806/79151611239/79295382310 within 48 hours with Qiwi, or by monexy payment to account 380982049193.
This screen will continue to appear, not allow users to use their mobile phone. At the same time, the format is: Jpeg, jpg, PNG, BMP, GIF, PDF, doc, docx, TXT, AVI, MKV, 3GP, MP4 files will also be encrypted.
The ransomware ransomware will control the server's communication device via Tor. While this is not the first time that Trend Micro has seen the use of Tor for Android malware, it is the first ransomware to take advantage of Tor by Trend Micro. Thinking about the amount of data that users now store on their phones, Trend Micro predicts that mobile ransomware like ransomware will continue to evolve.
For users infected with this ransomware, the malicious application can be manually removed via Android Debug Bridge. ADB is part of the Android SDK and can be downloaded free of charge from the Android website. The process is as follows:
1. Install the Android SDK on your PC, including ADB components
2. Connect an infected phone to your computer via USB
3. Execute at command line: adb uninstall "org.simplelocker" directive
These steps are not a problem for Android versions of phones that are lower than 4.2.2. However, there is a problem for users of 4.2.2 and later versions: The phone will jump out of the dialog box to prompt the user to remove the error by pressing the button. However, the interface of the ransomware ransomware itself interrupts it, making it difficult for the handset to be removed using ADB.
It is also important to note that in these cases, the user must enable the USB removal error before their phone is infected, but it is difficult to do so because these steps may not be the same on different phones. In addition, enabling the USB removal error itself is a security risk because it means that if an attacker can get the phone, it is easy to get user information from it without having to enter data on the Android lock screen.
The above steps can remove the ransomware ransomware, but cannot recover the locked file. We recommend that users use backups to recover files, whether online or offline.
(Figure II, sample SHA1 hash value analysis for this attack)
To learn about Trend Micro, please click on the link:http://www.trendmicro.com.cn/cn/