Attack of the 90s Kids: Chinese Teens Take On the Mobile Ransomware Trade

A new breed of cybercriminals has surfaced in China. They are bolder and more reckless than their more experienced veteran counterparts. All born in the 90s, these neophytes are not afraid to get caught, carelessly leaving a trail of traceable contact details online. They find and share readily available code and use those to make their own malware. It’s these same teens that are causing a surge in mobile ransomware in the Chinese underground market.

A younger mobile ransomware landscape

These young cybercriminals’ reckless foray into cybercrime was probably emboldened by the weak enforcement of existing local laws and—highly likely—teen bravado.

We first noticed these cybercriminal upstarts while monitoring a particular Android ransomware, ANDROIDOS_JIANMO.HAT. This variant makes it impossible for a user to access his device since it locks the screen, restricting any kind of user activity.

Going underground, we found that there are more than a thousand variants of this malware. About 250 of these contained information about the malware creator, including their contact details and their ages, which range from 16 to 21.

Figure 1. QQ (Chinese messenging service) account profiles of the the malware creators, including age (last row)

Examining these variants, it became apparent that they all came from a single source code that was widely distributed in underground forums. In the image below, we can see the two versions of the ransomware lock screen. The original version on the left has text fields with jokes. The modified version on the right contains the information ransomware victims can use to contact their extortionist. In this case, the extortionist left a QQ group account.

Figure 2. The malware on the right contains a message (in red) that coyly states “If you want to unlock it, do not contact QQ group account [number]”

It’s possible that the original was simply a prototype since it didn’t contain any information regarding payment. But after the code was distributed in the underground, it became the foundation for ransomware variants. All that was left for the teen cybercriminals to was to input their contact details.

Currently, these cybercriminals are demanding payments that range from US$5-10. While it might seem cheap compared to other ransomware variants, it’s highly possible that they can demand for more in the future. It’s also possible that they don’t demand as much since they have a lot of victims.

Spreading the infection

As we’ve previously noted, the Chinese cybercriminal underground offers several training services. So-called masters can train interested apprentices so they can pass on their knowledge hacking and the like. These teens follow the same setup. On top of their ransomware activities, they also offer tutorial services.

Figure 3. Forum post advertising malware tutorials

These cybercriminals rely on two methods to distribute their malware. First, they lurk in public forums, looking for posts about app recommendations. Should anyone request for app recommendations, they’d proceed with posting links pointing to the malware. These malware tutors can also make their apprentices distribute the malware in lieu of a “tuition fee.”

Figure 4. Distributing malware through app recommendations

We looked into some individuals who have entered into this type of venture. The first is one of the earliest recorded makers of the JIANMO malware, a 19-year old teen from China. From the JIANMO malware, he has since moved on to other ransomware. This newer malware of his, detected as ANDROIDOS_BZY.HBT, offers more features like a device administrator lock, effectively controlling the device. The victims will only receive a text message with unlocking details once they pay. We have noticed hundreds of online posts asking for help clean it.

Figure 5. QQ profile of 19-year old ransomware creator, containing a signature that says “providing remote unlock support” (top) and his latest malware, disguised as “Android Performance Booster” (bottom)

We found another malware creator with a similar business. This creator heads a group of apprentices that he tutors and uses for distributing malware. The figure below is the QQ profile of the group. It contains information like the fact that the group is based in Xi’an, China. It also contains a breakdown of information regarding its members. For example, 79% of the members are male, 6% are in Xi’an, and 62% of the members were born in the 90s.

Figure 6. “Study group” for malware creation and distribution, where 62% of the members were born in the 90s

Figure 7. Malware shared internally by the group

Information made available and accessible

As we mentioned earlier, these cybercriminals aren’t truly concerned with covering their tracks. They often use their IM accounts like those for QQ to contact their victims. These QQ accounts are usually their personal ones, meaning anyone can find out their real identities. Of course, it would be all too easy to fake the information posted on their QQ profiles. But given that we have seen young people involved in other cybercrime operations, having 19 year-old cybercriminals is highly plausible.

We were even able to gain access to the email account used in the mobile ransomware we detect as ANDROIDOS_GREYWOLF.HBT. This ransomware was made by the creator of the “study group” just mentioned. It pretends to be a love declaration app, designed to lure users into downloading and running the malware. It generates random serial number and unlock keys pair, and sends them back to the creator’s email. We were able to do so because the creator embedded both the email account and the password in the malware.

Figure 8. Ransomware serial number and unlock code sent from victims’ device

Figure 9. Sample transaction email with a victim

Furthermore, these cybercriminals favor payments made via Alipay, WeChat, and bank transfers. This is a marked departure from the current trend of using cryptocurrency to cover any illegal activity.

Security practices

Since the start of the year, we have seen more than 20 new mobile ransomware families, with one malware now having 1,000+ versions and offshoots. For users, this translates to a bigger probability of encountering ransomware while online.

To ensure that your downloaded apps are legitimate and not malware, you should only rely on official app stores and developers’ websites. Asking for app recommendations in forums is fine, so long as you don’t click on provided links. It’s better to search for the app itself than rely on a link posted by a stranger.

Before downloading any app, double check its developer and be very meticulous of the app reviews to verify apps’ legitimacy. On-device security solutions like Trend Micro Mobile Security can add a layer of protection against threats like these.

With additional insight from Lion Gu.

Here are the SHA1 hashes related to the mobile malware reported above:

ANDROIDOS_JIANMO.HAT