Last month, Symantec blogged about an Android malware named Android.Fakedefender that is the first example of a Ransomware that we have seen on the Android platform.
Fortinet detects this malware as Android/FakeDefend.A!tr
The malware’s operation can be broken down into 3 rough stages. For details of the modus operandus of this very sophisticated malware, read on..
- CONVINCE USER THE PHONE IS INFECTED
(‘Fake AV’ being the term of endearment for this in the security community)
The malware disguises itself as an Anti-Virus application and, to gain the victim’s confidence, even displays a list of viruses found on the ‘infected’ phone as seen in the figure below.
Fig1: List of ‘infections’ found
A closer look into the code reveals that the infections displayed are actually hard-coded in the package i.e. the application would show the same list of infections irrespective of the phone it has ‘scanned’.
The application is always running in the background, and displays Regular Notifications of infection, like a legitimate AV application would.
- RENDER PHONE UNUSABLE
This is when the Ransomware functionality of the malware comes into play.
In principle, a ransomware is a type of malware that restricts access to a device, holding it ‘hostage’ until the victim pays a ransom to restore regular functionality. For example, in the case of PCs, we have encountered malware that encrypt crucial data on a user’s hard disk, asking the victim to pay a sum to the attacker in order to recover his/her data.
In this case, the ransomware renders the phone unusable claiming to restore regular functionality when the victim purchases the Full Version of the Anti-Virus. This is carried out in two stages :
- First, the malware kills certain key processes – including known AV processes and some system processes on the victim’s phone rendering several crucial applications unusable.
Peculiarly, it even deletes all ‘.apk’ files found on the external SD card of the device. My guess is that this is directed at application and ROM backups saved on the external memory card in order to make recovery of the device even harder.
- And if the victim is not having a hard enough time using the device yet, 6 hours after installation of the malware, the phone is blocked at a ‘Lock Screen’ as seen in the figure below.
Fig2: Lock Screen (The pictures in the figure above are, in fact, pornographic images that have been blurred to maintain the chastity of our blog)
By this point, the user basically has a choice between resetting the phone and losing all data OR purchasing the Full Version in order to ‘Remove All Threats’.
- HELP USER ‘CLEAN’ PHONE
If the user decides to purchase the Full version of the application, s/he is directed to a very legitimate looking screen with a form to fill out the required Credit Card details (ref Fig3). Once the payment is made, these details are sent by the malware in clear-text (gasp) to the attacker’s server, however, no updates for the application are downloaded/installed. In short, the user just fell victim to a very intelligently crafted phishing scheme.
Fig3: Purchase Screen
- The application is very well designed however contains no legitimate Anti-Virus capability whatsoever.
- It can be called a fraud ransomware since even paying for the application doesn’t restore normal functionality of the phone, unlike most ransomware that ‘honour’ their side of the deal.
- It leaks the victim’s credit card details in clear text to the a server, which is detrimental on more than the one obvious level.
- If you have, even briefly, been following the evolution of mobile malware, most experts had predicted it would follow the same curve as PC malware in terms of growth and attack vectors. The discovery of this Android ransomware only goes on to affirm that prediction.
As a takeaway from this post, I recommend downloading applications INCLUDING AV applications only from reliable sources (official company websites).
Miscellaneous information for the technically inclined
This list of viruses found that is seen by the user is present hard-coded in encrypted form in the package. The Private Key to decrypt it is found in one of the libraries in the package. The decrypted information is saved in a database named ‘virusdb.db’ on the infected phone.
Interestingly, the pornographic images shown in the Fig2 are present as a Gzip-ed and encrypted bytestream, hard-coded in the package.
The application, in very professional manner, contains a ‘Contact’ option allowing the user to email ‘Support’ with queries. From examination of the code, we see that these queries are directed to “http://XX.XX.221.225/mail.php”. This server is up and running at the time of writing this post and even responds with a ticket number regarding the user’s query!
Leave a reply