Original topic:

Android ransomware is back 😲🤔🤔. ..

(Topic created on: 08-02-2019 02:25 AM)
372 Views
ÁbhayaĶumarĎora
Active Level 4
Options
Others
Researchers discover a new Android ransomware family that attempts to spread to victims’ contacts and deploys some unusual tricks. ..

After two years of decline in Android ransomware, a new family has emerged. We have seen the ransomware, detected . ..

Way 1- The attacker’s Reddit profile with malicious posts and comments. ..

Way 2- Some of the attackers’ malicious posts on the 0XDA Developers forum. .. 

Way 3- Statistics for the bit.ly link shared on Reddit during the ransomware campaign. ..

Way 4- An SMS with a link to the ransomware; this language variant is sent if the sending device has the language set to English. ..

Way 5-  A total of 42 language versions that are hardcoded in the ransomware. ..

Way 6- An example of a set of addresses for the ransomware to retrieve C&C addresses. ..

        Once potential victims receive an SMS message with the link to the malicious application, they need to install it manually. After the app is launched, it displays whatever is promised in the posts distributing it – most often, it’s a **bleep** simulator online game. However, its main purposes are C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism. ..
As for C&C communication, the malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free Pastebin service. ..

The ransomware has the ability to send text messages, due to having access to the user’s contact list. Before it encrypts files, it sends a message to each of the victim’s contacts using the technique described in the “Spreading” section above. ..

Way 7-  A ransom note displayed by Android/Filecoder.C. ..

        The ransomware goes through files 
on accessible storage – meaning all the device’s storage except where system files reside – and encrypts most of them (see the “File encryption mechanism” section below). After the files are encrypted, the ransomware displays its ransom note

          It is true that if the victim removes the app, the ransomware will not be able to decrypt the files, as stated in the ransom note. Also, according to our analysis, there is nothing in the ransomware’s code to support the claim that the affected data will be lost after 72 hours. ..
             Unlike typical Android ransomware, Android/Filecoder.C doesn’t prevent use of the device by locking the screen. ..

Way 8 - How the malware calculates the ransom. ..


Way 9 -  The Bitcoin address used by the attackers. ..

              The requested ransom is partially dynamic. The first part of what will be the amount of bitcoins to be requested is hardcoded – the value is 0.01 – while the remaining six digits are the user ID generated by the malware. ..
                 This unique practice may serve the purpose of identifying the incoming payments. (In Android ransomware, this is typically achieved by generating a separate Bitcoin wallet for each encrypted device.) Based on the recent exchange rate of approximately US$9,400 per bitcoin, the derived ransoms will fall in the range US$94-188 (assuming that the unique ID is generated randomly). ..
          At the time of writing, the mentioned Bitcoin address, which can be dynamically changed but was the same in all cases we’ve seen, has recorded no transactions. ..

Way 10- Overview of encrypted file structure. ..

          The ransomware uses asymmetric and symmetric encryption. First, it generates a public and private key pair.
This private key is encrypted using the 
RSA algorithm with a hardcoded public key stored in the code and sent to the attacker’s server. The attacker can decrypt that private key and, after the victim pays the ransom, send that private key to the victim to decrypt their files. ..
                           When encrypting files, the ransomware generates a new AES key for each file that will be encrypted. This AES key is then encrypted using the public key and prepended to each encrypted file, resulting in the following pattern: 
( (AES)public_key + (File)AES ).seven. ..

Way 11- Encrypted files with the extension “.seven”. ..

           The ransomware encrypts the following filetypes, by going through accessible storage directories: ..
              However, it doesn’t encrypt files in directories that contain the strings “.cache”, “tmp”, or “temp”. ..
               The ransomware also leaves files unencrypted if the file extension is “.zip” or “.rar” and the file size is over 51,200 KB/50 MB, and “.jpeg”, “.jpg” and “.png” files with a file size less than 150 KB. ..

                  The list of filetypes contains some entries unrelated to Android and 
at the same time lacks some typical 
Android extensions such as .apk, .dex, .so. Apparently, the list has been copied from the notorious WannaCryptor aka WannaCry ransomware. ..
               Once the files are encrypted, the file extension “.seven” is appended to the original filename, ..

Way 12- Ransom payment verification web page. ..

           Code to decrypt encrypted files is present in the ransomware. If the victim pays the ransom, the ransomware operator can verify that via the website. ..

How to stay safe yourself . ..


 1.         First of all, keep your devices up to date, ideally set them to patch and update automatically, so that you stay protected even if you’re not among the most security savvy users. ..

2.               If possible, stick with Google Play or other reputable app stores. These markets might not be completely free from malicious apps, but you have a fair chance of avoiding them. ..

3.              Prior to installing any app, check its ratings and reviews. Focus on the negative ones, as they often come from legitimate users, while positive feedback is often crafted by the attackers. ..

4.               Focus on the permissions requested by the app. If they seem inadequate for the app’s functions, avoid downloading the app. ..

5.               Use a reputable mobile security solution to protect your device. ..




.. áVÎ@.
0 Likes
0 Comments