Wannacry copycat rampant on Android ecosystem

June 28, 2017

Ransomware has been the buzzword in recent times, this subject has exploded over the last few weeks ever since we saw the ransomware epidemic - WannaCry. It is of little surprise that many are trying to capitalize on Wannacry's popularity. SonicWall Threats Research team received reports of one such copycat ransomware for Android.

Infection Cycle

The app requests for the following permissions during installation:

  • Read external storage
  • Internet
  • Get tasks
  • com.android.launcher.permission.read settings
  • Read logs
  • Access wifi state
  • Wake lock
  • Set wallpaper
  • Access network state
  • Read phone state
  • Modify audio settings
  • Mount unmount filesystems
  • Change configuration
  • Write external storage

Upon installation the app disappears from the app drawer, but a new icon is visible with the name lycorisradiata - which is the name of a plant red spider lilly. This however is not a new app, it's the same malicious app with a different app icon.

The malicious app changes the wallpaper of the device, below are few wallpapers that we saw. They dont seem to be connected in any special way:

The malware starts attaching an extension at the end of files, like other popular ransomwares for Windows machines. During our analysis it attached the following string:

Below we can see the code calculating the string to be attached:

The ransomware shows a warning message if we open a different app i.e. push the ransomware in the background. The message warns the user that the files will be removed if the application is quit, this is a fear tactic used by the malware into coaxing the victim to pay the ransom.

The ransomware begins encrypting files on the system using AES and it is careful in avoiding system files. Ultimately we see the same screen layout that was used by Wannacry to cover the entire screen.

As a ransom the apps in this campaign ask for either 20 or 40 RMB (1RMB approx 0.15 dollars). It accepts the following payment methods:

  • QQ chat
  • Alipay
  • WeChat


This is clearly an effort to utilize the popularity of Wannacry to scare the victims into paying the ransom.

Interesting points

  • The malware requests for ransom in RMB
  • The malware opens a connection to biaozhunshijian.51240.com which essentially shows the current time in Beijing
  • The malware accepts payments in the form of QQ, Alipay and WeChat - all these three apps are highly popular in China
  • The above points hint at this campaign's target and the possible source from where these malicious apps arise
  • There is a function deleteDirWihtFile which has checks in place to avoid files and directories with the following names:
    • android
    • com.
    • miad
    • baidunetdisk
    • download
    • dcim

Overall this ransomware is trying to utilize the popularity of Wannacry for its own goals. It tries to scare the victims into paying a ransom by using the popular Wannacry lockscreen. By using non-crypto currency for its payments the authors are taking a risk of getting tracked down. Coupled with the fact that the ransom demanded is not very high, it looks like the authors are trying to make a quick buck.

Can Wannacry infect Android devices ?
In the current state - NO. Wannacry used a specific windows exploit that can affect only windows systems. However people are still recovering from the effects of Wannacry, so scare tactics - like the one used in this malware - are expected.

SonicWALL provides protection against multiple versions of this threat via the following signature:

  • GAV: AndroidOS.Wannaclone.PK (Trojan)