Malware Name: Simplocker
Operating System (OS): Android
Credits to: ESET and Robert
Lipovsky. Operating System (OS): Android
- Restarts itself on boot
- Encrypts using AES the files with extension ("jpeg", "jpg", "png", "bmp", "gif", "pdf", "doc", "docx", "txt", "avi", "mkv", "3gp", "mp4") that exists in the SD card.
- Connects to C&C server anonymously using TOR.
- Asks for ransom in order to decrypt the encrypted file(s).
The data that are being send by the malware to the C&C server are the following:
- locker check - in order to check if the user has payed
- device id - the IMEI of the user mobile
- client number - with the number '19' probably for the attacker to know from which "product" has received the payment.
The malware check the C&C server every 180 seconds to
see if it has a payment.
Also every 1 sec it checks the preferences for information that
have to do with the status of the payment. If the user haven't payed it will keep the
main activity on, all the time.
After the payment the malware will receive the command <stop> from
the C&C server and it will stop itself from operating, decrypting the
encrypted files.
It uses the SHA-256 hash of the hard-coded password <jndlasf074hr> to
decrypt the files.
Also analysis with Droidbox shows exactly the time periods that the malware encrypts the files (2-7 sec) and waits for the payment (after 15 sec).
The analyzed sample found on contagio with the SHA-256 hash:
8a918c3aa53ccd89aaa102a235def5dcffa047e75097c1ded2dd2363bae7cf97
No comments:
Post a Comment