Learning from Bait and Switch Mobile Ransomware

We have recently caught sight of a mobile ransomware distributed by fake adult websites. It not only locks the device screen and display a warning supposedly coming from law enforcement—a tactic reminiscent of the Police Trojan that plagued desktops before—it also activates the unit’s front facing camera to add to its scare tactic. However, while it has routines unique to mobile ransomware, it also has a particular set of weaknesses that stand out.

Detected as ANDROIDOS_SLOCKER.AXBB, this malware shows several red flags throughout its process of getting into one’s phone. Despite these red flags, we have detected the malware in 11 countries, with Russia being the most affected with almost 80% of the total query count of over 3,400 detections as of March 23. We can attribute this high percentage to the malware’s effective social engineering tactics.

We are writing about this particular malware to help users understand mobile threats. We believe that users should have knowledge of common avenues cybercriminals use to spread mobile malware, and that secure settings are one’s first line of defense.

Getting the malware

From our observation, the malicious app can be downloaded from one of nine fake Russian adult video sites, which users may most likely encounter via spammed SMS. This raises the first red flag as users should avoid clicking links from spammed messages.

Figure 1. One of the fake Russian adult website

Figure 1. One of the fake Russian adult website

If a user taps on the spam links, they are directed to one of the fake adult websites. Clicking any video content on any of these sites redirects the user to one URL that asks users to download the said video named “Video_x<5-digit random number>_mp4.apk”.

Figure 2. Save screen showing file name and file size

The attacker will try to trick the user into downloading the file, thus the added mp4 text in the file name. This download file is the next red flag. Note the extension (APK) and the size of the file the user was expecting to download an mp4 file.
Upon downloading the file, a screen pops up asking the user to install the video. At this point, users should be aware that they have downloaded an application instead of a video. Downloading the wrong file or a file you did not intend to download is a common way to trick users into downloading malware into their mobile units.

Figure 3. Adult video installation

 If the user chooses to install the app, the installation creates an icon and the user must tap for it to activate. In the sample we analyzed, the icon created doesn’t even resemble whatever image was originally tapped. In this case, the user tries to download an adult video and ended up downloading an app. However, in cases where users are in fact downloading an app, users should read the security permission requests and see if they are necessary for the program.

The malware comes equipped with the following strings that get decoded upon installation:

  • “android.app.action.ADD_DEVICE_ADMIN”
  • “android.app.extra.DEVICE_ADMIN”
  • “android.app.extra.ADD_EXPLANATION”


Figure 4. Decoded strings prevent security products from detecting the malware

Clicking the newly added icon launches the malware. It first forces the users into giving the app admin permission. In some cases, this is the point of no return.

Figure 5. Activate screen shows app capabilities including erase all data

The app description (written in Russian) lures the user into activating the app with features such as Increase performance, more economical consumption, and removal of vulnerabilities. It also says that the procedure will not take more than 1 minute, and it will just run in the background.

Tapping Cancel closes the screen, but it pops back up less than a second after. Users are left with no choice but to tap the Activate button or reboot their phone. When the user taps Activate, they will then be diverted to the ransomware lock screen, which accuses the user to has viewed child sexual abuse material, among others:

Figure 6. Lock screen reminiscent to the first ransomware attempts ever

The text that appears as roughly translated as follows:

Your phone is locked, and all your personal data (including social networking data, bank cards) encryption and transferred to our server

Video with your participation successfully uploaded to the server

The reason for the lock service – visiting and viewing prohibited Internet resources containing elements of pornography involving minors, the elements of pedophilia, rape, incest, bestiality, and gay porn

To unlock the phone, as well as delete all data from the server, you need to pay a fine of 1000 rubles within 12h. Follow the instructions for the payment:

Find a mobile terminal for VISA QIWI WALLET payment (Qiwi Wallet).

Pay 1,000 rubles.

After receipt of payment your phone will be unlocked automatically and all data, including video with your participation, removed from the server within 8 hours.

If payment is not received within 12 hours, all the contacts of your phone, as well as all your contacts of social networks will be sent, that that your phone has been locked for viewing child pornography. Attempts to unlock the phone yourself will lead to complete blockage of your phone, and video with your participation will be posted to social networks and YouTube to mark PEDOFILIYA.A well as all the data on your phone will be sent messages to the prosecutor for criminal prosecution.

As mentioned earlier, this particular mobile ransomware activates the unit’s front facing camera and shows a preview screen while the phone is locked. This adds to the “video of your participation” bit connected to the warning mentioned early in the ransom note. Users should be aware that a one major ploy of ransomware is to scare or pressure users into paying ransom. Leveraging on law enforcement is a common tactic.


Figure 7. Front facing camera activated

In the case of ANDROIDOS_SLOCKER.AXBB, the video feed is indeed just a scare tactic. Despite their warning in the ransom note, the attackers cannot retrieve any data such as photos or other information from the locked phone. And while the attackers do have the capability to unlock the phone, paying the ransom is never a guarantee.

A critical flaw

At this point, the user cannot access anything on their device. However, there is a critical flaw if it infects a non-native Android phones or other mobile phones running on Android OS but created by other device manufacturers (for example: Samsung, Nexus etc.). This is due to the compatibility issues of ransomware variants to various types of Android phones. For instance, users of non-native Android phones can do simple steps like rebooting, then disabling admin permission, and uninstalling the malicious app.

ANDROIDOS_SLOCKER.AXBB showed several red flags that users could easily catch but we have to keep in mind that not all malware are the same. From a spam based infection vector to the obvious bait and switch, a user would be lucky if the malware they encounter were similar to this.

Apart from adult video sites, we also found a variant of this malware leveraging on popular game apps by using an identical package name and a debug certification. Through a debug certification, the said gaming app would be updated if a higher version of another APK with the same package name and certification is found. This meant that even though the two apps sharing the same package name were different, the ransomware would replace the game during an update.

Users may encounter a much more sophisticated malware. They could panic and pay the ransom. Others might not remember what led to the download and installation of malware. So it is imperative that users know the behavior of mobile malware and what to do to mitigate its damages.

Lessons Learned

At the end of the day, knowing how malware gets into devices is one of the best defenses one could have against this threat. So here are some helpful tips for users and organizations to help spot malicious apps and their behavior.

  • Malicious apps usually come from unreliable sources. Stick to trusted app stores like the official Play Store when downloading applications.
  • Be wary of suspicious links sent through SMS, IM, or even email.
  • Very few applications need admin privileges. If the request is unnecessary (for a calculator app for example) do not allow the app.
  • Always back up your mobile data from time to time.
  • Install a security app like Trend Micro Mobile Security and Trend Micro Mobile Security Personal Edition

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Learning from Bait and Switch Mobile Ransomware

Read more: Learning from Bait and Switch Mobile Ransomware

Incoming search terms

Story added 11. April 2016, content source with full text you can find at link above.