ĂbhayaÄśumarÄora
Active Level 4
Options
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
â08-02-2019 02:25 AM (Last edited â08-03-2019 06:01 PM ) in
OthersResearchers discover a new Android ransomware family that attempts to spread to victimsâ contacts and deploys some unusual tricks. ..
After two years of decline in Android ransomware, a new family has emerged. We have seen the ransomware, detected . ..
Way 1- The attackerâs Reddit profile with malicious posts and comments. ..
Way 2- Some of the attackersâ malicious posts on the 0XDA Developers forum. ..
Way 3- Statistics for the bit.ly link shared on Reddit during the ransomware campaign. ..
Way 4- An SMS with a link to the ransomware; this language variant is sent if the sending device has the language set to English. ..
Way 5- A total of 42 language versions that are hardcoded in the ransomware. ..
Way 6- An example of a set of addresses for the ransomware to retrieve C&C addresses. ..
Once potential victims receive an SMS message with the link to the malicious application, they need to install it manually. After the app is launched, it displays whatever is promised in the posts distributing it â most often, itâs a **bleep** simulator online game. However, its main purposes are C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism. ..
As for C&C communication, the malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free Pastebin service. ..
The ransomware has the ability to send text messages, due to having access to the userâs contact list. Before it encrypts files, it sends a message to each of the victimâs contacts using the technique described in the âSpreadingâ section above. ..
Way 7- A ransom note displayed by Android/Filecoder.C. ..
The ransomware goes through files
on accessible storage â meaning all the deviceâs storage except where system files reside â and encrypts most of them (see the âFile encryption mechanismâ section below). After the files are encrypted, the ransomware displays its ransom note
It is true that if the victim removes the app, the ransomware will not be able to decrypt the files, as stated in the ransom note. Also, according to our analysis, there is nothing in the ransomwareâs code to support the claim that the affected data will be lost after 72 hours. ..
Unlike typical Android ransomware, Android/Filecoder.C doesnât prevent use of the device by locking the screen. ..
Way 8 - How the malware calculates the ransom. ..
Way 9 - The Bitcoin address used by the attackers. ..
The requested ransom is partially dynamic. The first part of what will be the amount of bitcoins to be requested is hardcoded â the value is 0.01 â while the remaining six digits are the user ID generated by the malware. ..
This unique practice may serve the purpose of identifying the incoming payments. (In Android ransomware, this is typically achieved by generating a separate Bitcoin wallet for each encrypted device.) Based on the recent exchange rate of approximately US$9,400 per bitcoin, the derived ransoms will fall in the range US$94-188 (assuming that the unique ID is generated randomly). ..
At the time of writing, the mentioned Bitcoin address, which can be dynamically changed but was the same in all cases weâve seen, has recorded no transactions. ..
Way 10- Overview of encrypted file structure. ..
The ransomware uses asymmetric and symmetric encryption. First, it generates a public and private key pair.
This private key is encrypted using the
RSA algorithm with a hardcoded public key stored in the code and sent to the attackerâs server. The attacker can decrypt that private key and, after the victim pays the ransom, send that private key to the victim to decrypt their files. ..
When encrypting files, the ransomware generates a new AES key for each file that will be encrypted. This AES key is then encrypted using the public key and prepended to each encrypted file, resulting in the following pattern:
( (AES)public_key + (File)AES ).seven. ..
Way 11- Encrypted files with the extension â.sevenâ. ..
The ransomware encrypts the following filetypes, by going through accessible storage directories: ..
However, it doesnât encrypt files in directories that contain the strings â.cacheâ, âtmpâ, or âtempâ. ..
The ransomware also leaves files unencrypted if the file extension is â.zipâ or â.rarâ and the file size is over 51,200 KB/50 MB, and â.jpegâ, â.jpgâ and â.pngâ files with a file size less than 150 KB. ..
The list of filetypes contains some entries unrelated to Android and
at the same time lacks some typical
Android extensions such as .apk, .dex, .so. Apparently, the list has been copied from the notorious WannaCryptor aka WannaCry ransomware. ..
Once the files are encrypted, the file extension â.sevenâ is appended to the original filename, ..
Way 12- Ransom payment verification web page. ..
Code to decrypt encrypted files is present in the ransomware. If the victim pays the ransom, the ransomware operator can verify that via the website. ..
How to stay safe yourself . ..
1. First of all, keep your devices up to date, ideally set them to patch and update automatically, so that you stay protected even if youâre not among the most security savvy users. ..
2. If possible, stick with Google Play or other reputable app stores. These markets might not be completely free from malicious apps, but you have a fair chance of avoiding them. ..
3. Prior to installing any app, check its ratings and reviews. Focus on the negative ones, as they often come from legitimate users, while positive feedback is often crafted by the attackers. ..
4. Focus on the permissions requested by the app. If they seem inadequate for the appâs functions, avoid downloading the app. ..
5. Use a reputable mobile security solution to protect your device. ..
.. ĂĄVĂ@.
0 Comments
