Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Android Ransomware. Show all posts

Global XMPP Android Ransomware Campaign hits tens thousands devices




Check Point’s malware research team has detected a new variant of mobile ransomware that encrypts the content of Android smartphones is putting a new spin on both how it communicates with its masters and how it spurs its victims into action.

“We estimate that tens of thousands of devices have been infected. We have evidence that users have already paid hundreds of thousands of dollars to get their files unencrypted, and the actual infection rate may be much higher. ” the research team posted in its blog.

The updated version of Simplocker masquerades on app stores and download pages as a legitimate application, and uses an open instant messaging protocol to connect to command and control servers.

Now, the phone owner sees a message holding his data hostage. The message, which looks like an official text, is also not a new ruse: the “NSA” allegedly accuses the mobile phone holder of wrong-doings such as browsing to pornographic sites on his phone, or violating copyrights law by holding/using protected content such as video, music, etc. To regain access to his device, he will have to pay a “fine.”

“The victim seems to have no alternative. The app can’t be removed by a regular user. Even if he were somehow able to remove it, his files would still remain encrypted. The ransom payment, however, will probably not reach the NSA but rather make its way to the hands of a cyber-criminal,” the team added.

According to team, while posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. 

XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications.

Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked.

An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server. And these messages can be encrypted using Transport Layer Security (TLS). The messages were pulled from the command and control network by the operators of the scheme via Tor.

The XMPP channel allows a number of other commands to be launched remotely by the malware operators, including sending SMS messages and placing phone calls, as well as re-setting the configuration of the malware's communications (and the Bitcoin account to be used to submit victims' payments).


The team observed that ~10% of the users paid between $200 and $500 in ransom to decrypt their files. This means that for every 10k infections, the malware authors raked in $200k-$500k. They say the actual infection rate is probably much higher.

New variant of Android Ransomware 'SimpLocker' spotted


A New variant of the Android Ransomware known as 'SimpLocker' has been spotted by Security researchers at ESET.

This new variant has a few significant improvements including the language in which the fake warning message is written, it is now in English rather than Russian.

The malware is masquerading as a flash player for the Android and tricks users into installing it with administrator privileges .

Once the device is infected, it will show a ransom message saying that your device is locked because you were doing illegal things and demands you to pay around $300.

One of the variant attaches the photo of the victim taken by the front camera in the ransom message.  This trick will definitely scare victims into paying the ransom.

One of the worst features added to this variant is now it encrypts the compressed files such as ZIP, RAR and 7ZIP.  It means even your backup files are being encrypted by this trojan.

ESET has released a tool to decrypt the files that have been encrypted by Simplocker.  The say prevention is better than cure, so better focus on prevention - Be careful while installing apps from unknown sources.

Simplocker : First Android Ransomware that Encrypts files in Your Device

Ransomware is a type of malware that locks you out of your computer until you pay a ransom.  In some cases, it can actually cause more serious problems by encrypting the files on your system's hard drive.

Last year, Symantec discovered an android malware with hybrid characteristics of Fake AV and Ransomware. Last month, Bitdefender identified an android version of Ransomware which was being sold in the underground market.  The malware bluffed victims into paying a ransom but didn't actually encrypt the files.

Until now, there have been no reports of android malware that encrypts the files.

Security researchers at ESET say they have spotted the first variant of Ransomware that encrypts files in your Android Device.

The malware, dubbed as Simplocker, shows a ransom message written in Russian which informs victims that their device is locked for  viewing and distribution child porn.

It scans the SD card for certain file types such as image, document or videos, encrypts them using Advanced Encryption Standard(AES), and demands money in order to decrypt them.


It also gathers information about the infected device and sends to a command and control server.  The server is located in Tor ".onion" domain for purposes of anonymity.

Don't Pay:
"We strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them" Researchers at ESET say. 

Be careful when You Browse Adult contents in your Android phone

CryptoLocker Ransomware which is so far making trouble for Desktop users by scaring them into pay a fine to unlock their locked hard devices is now started to target Android users.

BitDefender have identified a new mobile version of the Ransomware which is being sold by the same group responsible for the Desktop version of Ransomware malware.

The malware dubbed as 'Android.Trojan. Koler.A' is being served to the mobile devices, when the users are browsing certain adult content websites.

The malware disguise itself as badoink, a video player that needs to be installed to get premium access to porn and tricks users into installing the app.

Once installed, the malware finds the location of victims and shows a fake warning message in their local language.

"Attention! Your Phone has been blocked up for safety reasons listed below.  All the action peformed on this phone are fixed.  All your files are encrypted.  Conducted Audio and Video" The fake message reads.

The warning message informs the victims that their files have been encrypted and they have to pay $300 ransom in order to unlock their device. 

But, No Need to Panic ! The files stored on the device are not actually encrypted as the warning message claims.  By pressing Home button, you can return to Home screen. You will have 5 seconds to Uninstall the app from your device.

Safe Mode to Remove the malicious app:
This malicious app is Not Sophisticated one, you can uninstall the app by booting the device in Safe Mode.

"The group behind this exploit is falsely and egregiously using the BaDoink
brand and logo, a brand that adult consumers have trusted for 8 years, to
spread this Ransomware."In an email sent to EHN, the company behind the legitimate version of Badoink, has clarified that they've nothing to do with this ransomware.