Android/Locker.CB!tr
Analysis
Android/Locker.CB!tr is a ransomware and spyware which targets Android mobile devices. It scares the victim by saying it has detected suspicious unlawful activity on the phone and claims to have reported the issue to the FBI. The victim is expected to pay $500 as a fine. In most cases, the victim's smartphone is locked on those false allegations and can no longer be used.
The malware also communicates with a remote C&C and, depending on the commands it receives from it, may also perform other actions: encrypt the contents of the SD card, send SMS messages, forward any incoming SMS, forward the list of contacts.
Finally, the malware tries to propagate by sending SMS to contacts of the victim where a link in the SMS redirects to the malware.
Technical Details
The malware comes packaged as com.adobe.videoprayer and mimics a video player.
|
When the application is launched, it displays web pages that scare the victim.
|
- Appear to have come from the Department of Justice / FBI.
- Include text of US laws.
- Claim that the information has been uploaded to FBI servers.
- Display real content from the device: IMEI, phone number, model and IP address, device browser history.
- Display a picture of the victim. This picture is taken by taking a shot of the person with the smartphone's front camera - presumably the smartphone's owner.
- Show fake pornographic images. The image is contained in the malware's resources.
- Illustrate their threats with images of people being handcuffed and arrested by the police.
The Locker service is named 'Locker' because it is indeed difficult to move out from those pages for a regular end-user. Consequently, the victim cannot use his/her phone and has the feeling there is no other solution than to pay the ransom.
Experienced end-users should try to kill the service:
- Get a shell on the infected device.
- Issue :
am stopservice com.adobe.videoprayer/.LockerService
The locking pages should disappear. - Finally, the malware can be uninstalled:
pm uninstall com.adobe.videoprayer
The locking mechanism also consists of a receiver, named StartLockServiceAtBootReceiver, which ensures the locking service is started as soon as the device boots.
Meanwhile, the Checker service is also started at startup. This service will:
- Every minute, contact the remote C&C:
http://{Removed}.104:12449/pha?android_version=[VersionRelease]&id=[Identifier]&phone_number=[PhoneNumber]&client_version=1.03&imei=[IMEI]&name=[Model]
where [Identifier] corresponds to the Settings.Secure.ANDROID_ID (a hex string which identifies the device), [PhoneNumber] is the infected phone's number, [IMEI] is the infected phone's IMEI, client version corresponds to the malware's version number, [VersionRelease] corresponds to Build.VERSION.RELEASE, and [Model] corresponds to Build.MODEL.
The C&C responds to this request with a JSON object containing a SMS template:{"sms_template": "OMG!!! Guess who's on a video here, you will not believe it!!! Download this application and look on first page http://{Removed}"}
Then, the malware asks for commands:http://{Removed}.104:12449/gac/IDENTIFIER
and the C&C responds with a JSON object which contains a command identifier:{"id": "3"}
We will detail the commands later on.
The malware confirms it received the command:http://{Removed}4:12449/eaction/IDENTIFIER
to which the C&C responds: "Action execute".
The malware then performs the command. - Every 30 minutes (configurable time set in the code by ContactSmsDelayMillis in res/values/integers.xml), it tries to propagate by sending SMS messages to some contacts of the victim. The number of contacts to SMS is customized in the code by a variable named ContactCount (see res/values/integers.xml). The malware builds a list of contacts on the smartphone, and will then SMS the first ContactCount entries then, next time, the next ContactCount entries, etc. The SMS which is sent corresponds to a SMS template sent by the C&C server. For example, it can be the SMS template we mentioned earlier. The link in the SMS leads to downloading a sample of this malware (Android/Locker.CB!tr).
- If an incoming SMS is received and the catchSms option (in the preferences file) is set, the SMS's originating phone number, date and time and body are forwarded in a HTTP request to the C&C as:
hxxp://{Removed}.104:12449/scs/IDENTIFIER...
Precisely, the receiver IncomingSms is notified of the arrival of a new SMS message (before other receivers because of its high priority). It sends an "incoming_sms" intent to the Checker service, which issues a ReceivedSmsRequest.
0 | ACTION_GET_SMS | getAndSendSmsData(): Sends all SMS to
hxxp://{Removed}.104:12449/ssms/IDENTIFIERwhere the SMS messages (originating number, date and body) are sent as JSON objects |
1 | ACTION_GET_CONTACTS | getAndSendContactData(): sends list of all contacts on the phone
hxxp://{Removed}.104:12449/sc/IDENTIFIERwhere the list of contacts (name and phone number) are sent as JSON objects |
2 | ACTION_CRYPT_DATA | The malware encrypts the SD card's Android directory |
3 | ACTION_LOCK_PHONE | The malware makes sure the scare pages are displayed and the phone is locked on those pages |
5 | ACTION_UNLOCK_PHONE | The malware stops the Locker service: the scare pages disappear. However, in that case, the malware switches to the Catch Sms mode, where incoming SMS will be forwarded to the C&C |
6 | ACTION_CODE_INCORRECT | An alert window is display with the mention 'Entered code is incorrect' to notify the victim that the entered voucher code he/she entered for payment is not valid. |
7 | ACTION_CATCH_SMS | setCatchSms: sets the CatchSms entry in the preferences file to true. The consequence is that all incoming SMS message will then be forwarded to the C&C. | 8 | ACTION_SEND_SMS | doSendSms: sends a SMS to a given phone number.
The malware sends a request to the C&C: hxxp://{Removed}.104:12449/gsfs/IDENTIFIERThe malware responds to this with a JSON object containing a phone number and a SMS body. The infected device sends a SMS to that phone number (with the specified body). |
9 | ACTION_STOP_CATCH_SMS | This simply sets CatchSms to false, which consequently ends spying incoming SMS messages |
10 | ACTION_DECRYPT_DATA | Decrypts the SD card's Android directory |
-1 | ACTION_UNKNOWN | No action to perform |
The malware's encryption algorithm is the following.
- First, the malware derives an AES key from a hard-coded string "ThisIsKey". The derivation algorithm is PBKDF2 with HMAC-SHA1 with 65536 iterations and the hard-coded salt "ThisIsSalt". Basically, this corresponds to 65536 iterations of HMAC-SHA1 on the concatenation of the key string and the salt.
- The resulting bytes are used as an AES key to encrypt the Android directory of the SD card. The encryption is performed recursively on every file and directory in Android.
- The decryption follows the same process: the string "ThisIsKey" is derived into a key, and the resulting bytes are used to decrypt the directory. As the key is generated from hard-coded string and salts, it is 'static' and common to all instances of this particular malware. A victim whose SD card got encrypted can implement the decryption process and retrieve his/her data.
If the victim decides to pay, the voucher code the victim enters is sent to the C&C:
http://{Removed}104:12449/cpm/IDENTIFIER?payment_check=CODE&payment_type=29There is obviously no guarantee the attacker will unlock and/or decrypt the files on the device.
Finally, it is interesting to note that the Checker service is designed to run in background even if the smartphone is locked or idle. It specifically performs a PARTIAL_WAKE_LOCK to run while, if idle/locked, keeping the screen dimmed (less noticeable). End users may however experience a battery drain as the malware will continuously send requests to the C&C.
The malware installs the following files on the device:
- ./assets/tab2.html
- ./assets/320x320_stamp and sign.png
- ./assets/accordion_open.png
- ./assets/tab1.html
- ./assets/accordion.js
- ./assets/320x320_prism-logo.png
- ./assets/tab4.html
- ./assets/accordion_closed.png
- ./assets/accordion.css
- ./META-INF/CERT.RSA
- ./META-INF/CERT.SF
- ./META-INF/MANIFEST.MF
- ./resources.arsc
- ./res/drawable-xxxhdpi-v4/ic_clipboard.png
- ./res/drawable-xxxhdpi-v4/ic_info.png
- ./res/drawable-xxxhdpi-v4/ic_money.png
- ./res/drawable-xxxhdpi-v4/ic_justice.png
- ./res/drawable-xxxhdpi-v4/ic_home.png
- ./res/layout/tab1.xml
- ./res/layout/page4.xml
- ./res/layout/page3.xml
- ./res/layout/history_item.xml
- ./res/layout/main_screen.xml
- ./res/layout/activity_main2.xml
- ./res/layout/page2.xml
- ./res/layout/page5.xml
- ./res/layout/page1.xml
- ./res/layout/tab4.xml
- ./res/layout/tab3.xml
- ./res/layout/page4_header.xml
- ./res/layout/activity_main.xml
- ./res/layout/tab2.xml
- ./res/layout/tab5.xml
- ./res/drawable-hdpi-v4/p5.png
- ./res/drawable-hdpi-v4/p2.png
- ./res/drawable-hdpi-v4/paypal_logo.png
- ./res/drawable-hdpi-v4/p3.png
- ./res/drawable-hdpi-v4/p4.png
- ./res/drawable-hdpi-v4/ic_info.png
- ./res/drawable-hdpi-v4/logo1.png
- ./res/drawable-hdpi-v4/bhist.png
- ./res/drawable-hdpi-v4/ic_launcher.png
- ./res/drawable-hdpi-v4/paypal_logo_back.png
- ./res/drawable-hdpi-v4/logo3.png
- ./res/drawable-hdpi-v4/ic_money.png
- ./res/drawable-hdpi-v4/ic_justice.png
- ./res/drawable-hdpi-v4/p1.png
- ./res/drawable-hdpi-v4/ic_clipboard.png
- ./res/drawable-hdpi-v4/ic_home.png
- ./res/drawable-xxhdpi-v4/ic_justice.png
- ./res/drawable-xxhdpi-v4/ic_money.png
- ./res/drawable-xxhdpi-v4/ic_info.png
- ./res/drawable-xxhdpi-v4/ic_launcher.png
- ./res/drawable-xxhdpi-v4/ic_clipboard.png
- ./res/drawable-xxhdpi-v4/ic_home.png
- ./res/xml/device_admin_sample.xml
- ./res/drawable/s_btn_backspace.xml
- ./res/drawable/header_bg_tile.xml
- ./res/drawable/s_btn_pay.xml
- ./res/drawable/mybackground.xml
- ./res/drawable/s_btn_number.xml
- ./res/drawable-xhdpi-v4/image_location.png
- ./res/drawable-xhdpi-v4/ic_info.png
- ./res/drawable-xhdpi-v4/input.png
- ./res/drawable-xhdpi-v4/btn_number.png
- ./res/drawable-xhdpi-v4/image_flag.png
- ./res/drawable-xhdpi-v4/ic_launcher.png
- ./res/drawable-xhdpi-v4/a1.png
- ./res/drawable-xhdpi-v4/input_field.png
- ./res/drawable-xhdpi-v4/background.png
- ./res/drawable-xhdpi-v4/dropdown.png
- ./res/drawable-xhdpi-v4/ic_justice.png
- ./res/drawable-xhdpi-v4/btn_pay_pressed.png
- ./res/drawable-xhdpi-v4/image_jail.png
- ./res/drawable-xhdpi-v4/btn_number_pressed.png
- ./res/drawable-xhdpi-v4/btn_send.png
- ./res/drawable-xhdpi-v4/btn_backspace.png
- ./res/drawable-xhdpi-v4/btn_backspace_pressed.png
- ./res/drawable-xhdpi-v4/ic_home.png
- ./res/drawable-xhdpi-v4/photo_ramka.png
- ./res/drawable-xhdpi-v4/image_retail.png
- ./res/drawable-xhdpi-v4/image_lock.png
- ./res/drawable-xhdpi-v4/ic_clipboard.png
- ./res/drawable-xhdpi-v4/payment_smallbox.png
- ./res/drawable-xhdpi-v4/flag_box.png
- ./res/drawable-xhdpi-v4/payment_bigbox.png
- ./res/drawable-xhdpi-v4/location_box.png
- ./res/drawable-xhdpi-v4/btn_pay.png
- ./res/drawable-xhdpi-v4/image_method_moneypak.png
- ./res/drawable-xhdpi-v4/back.png
- ./res/drawable-xhdpi-v4/top_image.png
- ./res/drawable-xhdpi-v4/ic_money.png
- ./res/drawable-mdpi-v4/ic_info.png
- ./res/drawable-mdpi-v4/ic_launcher.png
- ./res/drawable-mdpi-v4/ic_money.png
- ./res/drawable-mdpi-v4/ic_home.png
- ./res/drawable-mdpi-v4/ic_clipboard.png
- ./res/drawable-mdpi-v4/ic_justice.png
- ./classes.dex
- ./AndroidManifest.xml
The malware asks for the following permissions:
- Allow to send SMS messages.
- Allow an application to monitor incoming SMS messages, to record or perform processing on them, or or to process WAP Push messages.
- READ_CONTACTS
- INTERNET
- READ_HISTORY_BOOKMARKS
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |