TkLocker Analysis Report

Author: Wang Huan

Overview

In the PC field, the term "ransomware" gradually becomes public after the outbreak of a virus called CryptLocker last year. It will encrypt all user documents, the user must pay $300 or $0.5 for hackers to retrieve their documents. Recently, we have found that the Android platform has also seen a virus named SimpLocker spreading abroad, and its behavior is exactly the same as that of CryptLocker.

Now we find that users in China are not spared. The emergence of the TkLocker virus has undoubtedly triggered alarms for users in China, the virus author initially developed a program named "don't be curious, don't open" for the purpose of show off technology, and forcibly locked the user's mobile phone for 24 hours, this made the user unable to perform any operations on the mobile phone within the last 24 hours, but he was not satisfied with this. He created nearly 600 malicious programs with many attractive names, for example, "dedicated modifications for daily cool run (super brother cracking)" and "100 BT seeds (You know) "," Anything that surprises anyone ", and" 275 plug-ins running every day "Prevent users from using their mobile phones normally, it is likely to evolve into a software like CryptLocker and SimpLocker, reminding users to install 360 mobile guard or 360 mobile anti-virus and other security software as much as possible to prevent recruitment. If the user has been involved, use the data cable to connect the mobile phone to the computer, then download and install the "360 system first aid box" on the computer, and use the "Mobile Trojan killing" function to detect viruses.

Virus Behavior Analysis

After it is started, an acitivity interface will be started, such:

Then, the user cannot exit the interface regardless of the operation. The implementation process is as follows:

First, create a timer with a time set to 24 hours, and then unlock the program.

Then, it keeps querying whether the current display interface is a malicious activity itself. If not, it ends the current program and starts a malicious activity.

In addition, if you try to shut down and restart the system, the system will prompt "Force shutdown the system will be decommissioned! Haha ~", In fact, the software does not have this capability, but it will receive the boot broadcast and automatically start after the boot, so the restart still cannot solve the problem.

At present, nearly 360 samples of the TkLocker series have been captured in the 600 security center, with a total infection volume of more than 57000 people. The software with a maximum of three infections is "dedicated modifications for daily cool run (super brother cracking) "(19341 people)," enchanting production "(12462 people), and" Things That surprise anyone "(5092 people ),

The following are other identical software.

 

 

These software are still spoof software and have the same functions. They will be automatically stopped 24 hours later. But it can be predicted that hackers can use this method to extort money in the future.

 

Solution

Currently, our 360 system first aid kit supports trojan detection and removal, which is:

Http://www.360.cn/jijiuxiang/index.html

If the user has been involved, use the data cable to connect the mobile phone to the computer, download and install the 360 system first-aid kit on the computer, and use the "Mobile Trojan killing" function to detect viruses. We recommend that you purchase mobile phones from regular channels and install 360 mobile guard to protect the security of your mobile phones. In case of virus detection and removal and silent installation of software on the mobile phone, we should promptly report to us.