New WannaCry-Mimicking SLocker Abuses QQ Services

by Lorin Wu

Trend Micro researchers detected a new SLocker variant that mimics the GUI of the WannaCry crypto-ransomware on the Android platform. Detected as ANDROIDOS_SLOCKER.OPSCB, this new SLocker mobile ransomware variant features new routines that utilize features of the Chinese social network QQ, along with persistent screen-locking capabilities.

SLocker, an Android file-encrypting ransomware first detected and analyzed in July, was found mimicking WannaCry’s GUI. Although Chinese police already arrested the ransomware’s alleged creator, other SLocker operators clearly remained unfazed.

Victims mostly contracted the mobile ransomware from QQ chat groups that discuss the popular gaming app ‘王者荣耀’ or King of Glory, which was also the previous variant’s infection vector. It poses as a set of game cheating tools, hiding under the names ‘钱来了’ or ‘Here comes money,’, and ‘王者荣耀修改器’ or ‘Modifiers for King of Glory.’ The game is immensely popular in China, with 200 million registered users.

Samples of the variant were packaged as “com.android.admin.hongyan” (hongyan means ‘beauty’) and “com.android.admin.huanmie” (huanmie means ‘disillusionment’). ‘Hongyan’ and ‘huanmie’ are terms widely used in Chinese novels that are popular with teenagers.

Figure 1

Figure 1. Screenshot of the ransom note

Figure 2

Figure 2. Screenshot of decrypted files. In English, ‘文件已被幻灭劫持” means the files are locked by Disillusionment.

Additional Features of the New Variant

Aside from the GUI, which also has a few design changes, and its ability to change the wallpaper of the device once the fake tool is run, this new SLocker variant doesn’t share any other similarities with its predecessor. Unlike ANDROIDOS_SLOCKER.OPST, the new variant was created using the Android integrated development environment (AIDE), a program used to develop Android apps directly on an Android device. It is important to note that using AIDE makes it easier for ransomware operators to develop simple Android Package Kits (APKs), and the convenience it provides can attract newcomers to develop their own variants.

In fact, the ‘ADDING GROUP’ text located at the bottom of the ransom note in Figure 1 redirects victim to a QQ forum that discusses the processes of creating a ransomware in exchange for money.

Figure 3

Figure 3. Screenshot of the QQ group page

The page is titled ‘锁机幼稚园,’ or Lock-Phone Kindergarten, and was created May 16, 2017. The description claims that the main function of the group is to teach and discuss how to lock access to phones, and that source codes will be updated continuously. At the bottom of the page, there’s a button that says ‘request to join this group.’

Apart from that, there’s another text on the ransom note, ‘CONTACT US’, which the previous mobile ransomware didn’t have. By clicking it, the victim’s QQ chat window will pop up, supposedly to allow the ransomware operator to communicate with the victim on how to decrypt the files.

Navigating the QQ profile page of the supposed ransomware operator, there’s also a text post claiming that in order to decrypt files, the victim must follow the instructions to be provided by an unidentified person during an incoming call.

Figure 4

Figure 4. QQ chat window between the victim and the ransomware operator

In addition, this variant specifically uses legitimate certificates that non-malicious apps use to avoid being blacklisted by anti-virus vendors. These certificates can be downloaded freely from Google’s Android Open Source Code Project. It also uses a legitimate cloud storage service (bmob), which the ransomware operator can abuse to change the decrypt key.

Figure 5

Figure 5. The new variant’s package structure

How the SLocker variant encrypts files

Despite appearing more advanced with its new additional routines, this variant actually uses a less sophisticated encryption process. While its predecessor used HTTP, TOR or XMPP to communicate with C&C remote servers, this variant doesn’t even use any C&C communication technology.

When executed, it carelessly targets all file types in the SD card, including the cache, system log, and tmp files, which are relatively insignificant to mobile users. The previous variant excludes the aforementioned files in its encryption process, choosing only important ones like Microsoft Office documents, as well as video and image file formats. Based on the samples, the variant appears to have used the AES encryption algorithm, and the obsolete DES encryption algorithm, which is another sign of its incompetence.

Figure 6

Figure 6. Snippet of code showing the DES encryption algorithm

Persistent screen-locking features

Perhaps to make up for the minor flaw of encrypting all file types in the SD card, it compensates in its ability to lock access to the screen. If victims click the decryption button in the ransom note, the device administrator UI will appear and will persistently hijack the screen whenever victims click the cancellation button. If victims click the activation button, the variant will set or reset the device’s PIN, locking access to the screen as well.

Figure 7

Figure 7. Screenshot of the device administrator UI

Figure 8

Figure 8. Screenshot of the PIN locker

Solutions and Recommendations

While this new SLocker variant features a relatively flawed encryption process, the new capabilities it possess should caution QQ subscribers and mobile gamers of the growing sophistication of ransomware operators’ attack tactics. The increasing proliferation of new variants shows that threat actors are not slowing down.

Here are tips on how to prevent ransomware from infecting your mobile devices:

  • Only install apps downloaded from legitimate app stores such as Google Play
  • Be careful about permissions an app asks for, especially those that allow the app to read/write on external storage
  • Back up your data regularly—either on another secure device or on cloud storage
  • Install comprehensive antivirus solutions. Mobile security solutions such as Trend Micro™ Mobile Security blocks threats from app stores before they can be installed and cause damage to devices, while Trend Micro™ Maximum Security offers in-depth protection for multiple devices and proactively secures them from the threat of ransomware.

Indicators of Compromise (IOCS)

SHA256 Package Application Name
5212B6A8DD17CCFC60F671C82F45F4885E0ABCC354DA3D007746599F10340774 com.android.admin.hongyan TyProxy
6E5BBEDCE0F2CFFCADF0397282861B8694AD9111FE566DA934FC11EE25827F03 com.android.admin.hongyan TyProxy
16C497C382492C0132D581A4ECE0EF0AB6C8BA7B265A9D7B0F6D47D9871D5E06 com.android.admin.hongyan TyProxy
FCC08F87BF7818DA1C8DC794CAD9EF840B65384DAB5F6610334632163E867113 com.android.admin.hongyan TyProxy
B16A904AF7EBEB3B3A9C8FEF342C60EAB83DFA6867ACDBAA6F55C1F06B974123 com.android.admin.hongyan TyProxy
5BFF2298944632CC50A17F88EA59ACF64E6093F2A4B4CBA6841B38EDE0F26C3D com.android.admin.hongyan TyProxy
CDE39A1338905B1C0D5A899378C9428A48D6CA01CB55396C03268DA939D3DD4A com.android.admin.hongyan TyProxy
DE990C12617F7CD01E2B810BC33AF4AE43B6E7C43430F7039252AC93416D5223 com.android.admin.hongyan 永恒之蓝-挽安!
53136F6CEA9C04CF139C42A0F9B863C87BB1A3114010C324106D85A401FD8CAF com.android.admin.hongyan 安卓王者荣耀修改器
1ED647CB7A0F145D2E84FDFC7ADC2E865C312DBE574C4AB4298173EC7E9FCAB5 com.android.admin.hongyan 安卓王者荣耀修改器
026733EB26FF09111CE389B56EAF431271812DFE28B426CB171C722EB41D62D7 com.android.admin.hongyan 黑客攻防工具箱
8FFF1BF0BFA618B6350DA5D99A620C21BD6F88A8711469575AA449A947CF6E96 com.android.admin.hongyan 钱来了!
645E969D314FE3813B268EFC3270366BFF0023D73F5A5E205761815BF7F51285 com.android.admin.hongyan 王者荣耀美化器
6FB373890F4CD54F7A5E3BCFB6F592D7703504238EA8E3AAF5FB8B6D6A4B2FE8 com.android.admin.hongyan qb提取器
8A5102D2A3CE616FA60C165A4548A85D202625B924C8E5627BFE9759E7FFF735 com.android.admin.hongyan 钱来了!
FDAC14D2871293E3B38984F4833C8113E46673748B86625728363B1DF9F83517 com.android.admin.hongyan TyProxy移动版
DECB041278048C001142232AE9374D86489A011AF922D2F1803EAEBE690DACA0 com.android.admin.hongyan 鸢与锁机生成器
BC0B9BCADDCE6EF5A0BAB3BA1B278DE110E00F8F8A1CF1C64E782740B0BC2F6D com.android.admin.huanmie 钱来了!
D835CF9D88EABC8508F130745FA786385FD7C2CC9C5F29B2DA5E6C2DC8372FA6 com.android.admin.huanmie 钱来了!
1C8A5045044DBF30C0781AC67263019CA0C8BF7562952821D7F5F54B9D6B74A8 com.android.admin.huanmie 钱来了!
AE3F772B12D4C97B4377DFADFE01528411811D22F8708A2B33A10494461EC2E4 com.android TyProxy

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New WannaCry-Mimicking SLocker Abuses QQ Services

Read more: New WannaCry-Mimicking SLocker Abuses QQ Services

Incoming search terms

Story added 2. August 2017, content source with full text you can find at link above.