Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider.
The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this variant the malware’s authors include a picture of a cat:
The ransomware constantly requests commands from the control server via HTTP, and the malicious server responds with the attackers’ instructions defined in the control panel. All of this traffic is transmitted without encryption.
The commands that this threat can receive and perform are described in the following table:
|0||Read commands||HTTP request to control server for new commands|
|1||Send SMS message||Send message from infected device|
|2||Remove all SMS||Forward and delete all SMS messages|
|3||Encrypt SD files||Encrypt all files on SD card and add extension .enc|
|4||Encrypt path in SD||Encrypt all files on SD card in a specific path with extension .enc|
|5||Decrypt SD files||Decrypt affected files on SD card that contain extension .enc|
|6||Decrypt path in SD files||Decrypt files in a specific path on SD card|
|8||Exit||Kill application and exit|
Reading commands from the control server:
Some interesting features of this ransomware include the ability to encrypt specific files, steal SMS messages while forwarding them to the attacker and avoiding the victim’s message visualization, lock access to the device and the encryption using an AES algorithm with a hardcoded password. Unlike asymmetric encryption, using a hardcoded password makes decryption trivial. Moreover, the application code contains a method to decrypt the affected files; thus this ransomware app can be forced to decrypt files if one invokes the appropriate method.
Decrypting the affected files:
The malicious server control panel for the botnet allows several remote commands:
- Lock/unlock the screen (with a cat image).
- Send SMS messages to the victim.
- Encrypt/decrypt SD card memory files (with a hardcoded password).
- Silently steal SMS messages from the victim’s device.
McAfee Labs has informed the owners of the abused servers and has requested they take down the malicious service.
This ransomware variant looks like a demo version used to commercialize malware kits for cybercriminals because the control server interface is not protected and includes in the code words such as MyDificultPassw.
These kinds of threats are usually distributed by attackers who buy exploit kits on black markets and who want to attack a specific company or group of people. The attackers often use phishing campaigns, Trojanized apps, social media networks, or other social engineering techniques.
McAfee Mobile Security detects this Android threat as Android/Ransom.ElGato and alerts mobile users if the malware is present, while protecting them from any data loss. Follow this link for more information about McAfee Mobile Security.