Android ransomware purports to be a free social media follower application
Sonicwall Capture Labs Threat Research team has observed many Android locker ransomware which asks to communicate using social media platforms. There is no assurance of getting the key even after paying the ransom amount, they just use these apps for monetary gain. Some of the applications look like free social media follower apps but are ransomware as shown below.
Figure 1: Ransomware App Icons
All these malicious apps are recently submitted over malware sharing platforms like Virus Total.
Figure 2: VirusTotal submission history
Major permissions used in these apps are mentioned below:
Permission “SYSTEM_ALERT_WINDOW“ is used to display overlay windows above all activity windows in order to show ransom notes.
After installation app is not visible on the app drawer, to view installed app information we need to go into settings->Apps
Figure 3: Malicious app visible under settings
In the manifest file, “android.intent.category.LAUNCHER” is not set in MainActivity as shown below, which means that this application does not have a desktop startup icon.
Figure 4: Main activity launcher missing
Malicious application launches after “ACTION_BOOT_COMPLETED” system event which is fired once the Android system has completed the boot process, sets a lock screen with a ransom note and the user is not able to access the device.
On further investigation of malicious code, each malicious file has a different ransom note and different keys which are present in code itself under “password” field. No actual encryption of any file present on the device takes place except by locking the screen.
Figure 6: Password and Ransom note present in code
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):