Thursday, 5 June 2014

Inside SimpLocker

Malware Name: Simplocker
Operating System (OS): Android
Credits to: ESET and Robert Lipovsky.

  • Restarts itself on boot
  • Encrypts using AES the files with extension ("jpeg", "jpg", "png", "bmp", "gif", "pdf", "doc", "docx", "txt", "avi", "mkv", "3gp", "mp4") that exists in the SD card.
  • Connects to C&C server anonymously using TOR.
  • Asks for ransom in order to decrypt the encrypted file(s).

The data that are being send by the malware to the C&C server are the following:

  • locker check  - in order to check if the user has payed
  • device id - the IMEI of the user mobile
  • client number - with the number '19' probably for the attacker to know from which "product" has received the payment.
The malware check the C&C server every 180 seconds to see if it has a payment.
Also every 1 sec it checks the preferences for information that have to do with the status of the payment. If the user haven't payed it will keep the main activity on, all the time.

After the payment the malware will receive the command <stop> from the C&C server and it will stop itself from operating, decrypting the encrypted files.

It uses the SHA-256 hash of the hard-coded password <jndlasf074hr> to decrypt the files.
Also analysis with Droidbox shows exactly the time periods that the malware encrypts the files (2-7 sec) and waits for the payment (after 15 sec).

The analyzed sample found on contagio with the SHA-256 hash:

No comments:

Post a Comment