Trend Micro Incorporated, a leader in cybersecurity solutions detected a new variant of mobile ransomware SLocker, notable for being an Android file-encrypting ransomware. This particular SLocker variant is the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak and copies it’s GUI.
This ransomware disguises itself as game guides, video players, and so on in order to lure users into installing it. When the ransomware is installed, it will check whether it has been run before. If it is not, it will generate a random number and store it in SharedPreferences, which is where persistent application data is saved. Then it will locate the device’s external storage directory and start a new thread. Once the ransomware runs, the app will change the icon and name, along with the wallpaper of the infected device. The ransomware announces a disabled activity. It then changes its icon by disabling the original activity and enabling the alias.
The original sample captured by Trend Micro was named ‘King of Glory Auxiliary’, which was disguised as a cheating tool for the game King of Glory. When installed, it has a similar appearance to WannaCry, which has already inspired a few imitators. Trend Micro observed that the ransomware avoids encrypting system files, focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos).
Mr. Nilesh Jain, Country Manager (India and SAARC), Trend Micro said, “Compared to the ransomware we’ve seen before, this ransomware is relatively simple. It is actually quite easy for a security engineer to reverse the ransomware and find a way to decrypt files. To help users keep the information on their mobile device safe, Trend Micro suggests to install apps downloaded from legitimate app stores such as Google Play and be careful about permissions an app asks for, especially permissions that allow the app to read/write on external storage.”
He further added, “It is also important to back up your data regularly—either on another secure device or on cloud storage. Users must install comprehensive antivirus solutions. Mobile security solutions such as Trend Micro Mobile Security blocks threats from app stores before they can be installed and cause damage to devices, while Trend Micro Maximum Security offers in-depth protection for multiple devices and proactively secures them from the threat of ransomware.”
When a file that meets all the requirements is found, the thread will use ExecutorService to run a new task. Once the file has been encrypted, a suffix will be added to the file name. The suffix contains a QQ number and the random number used to generate the cipher. The ransomware presents victims with three options to pay the ransom, but in the sample analysed by Trend Micro, all three led to same QR code that asks the victims to pay via QQ (a popular Chinese mobile payment service). If victims refuse to pay after three days, then the ransom price will be raised. It threatens to delete all files after a week.
The ransomware tells victims that a decrypt key will be sent after the ransom has been paid. Trend Micro analysed and found that if victims input the key and click the Decrypt button, the ransomware will compare the key input with the value in MainActivity.m. But after tracking MainActivity.m, they found that the value is actually the previously mentioned random number plus 520. Using that as the key and clicking on the Decrypt button will decrypt the files.
The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom. After laying low for a few years, it had a sudden resurgence last May. Shortly after details about the ransomware surfaced, decrypt tools were published. After the initial ransomware was exposed, more and more variants appeared. Five days after its initial detection, a suspect supposedly responsible for the ransomware was arrested by the Chinese police. Luckily, due to the limited transmission channels (it was spread mostly through forums like QQ groups and Bulletin Board Systems), the number of victims was very low. However, the proliferation of new variants so quickly after the first one shows that these malicious actors are not slowing down. Even though a suspect was caught, more advanced ransomware may be just around the corner.