SLocker Versus Marshmallow

Android ransomware SLocker recently began taking advantage of Android Lollipop flaws in a very serious (and devious) way. But how does SLocker fare against Android Marshmallow?

First, let’s take look at SLocker versus Lollipop.

Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”.

Porn Droid app

Typically all-too-common sorts of overreaching permissions are requested.

PornPro app permissions

So that’s a small social engineering barrier at best.

PornPro permissions continued

If you have a good security app installed, you’ll see something such as this.

This app contains a virus

But if you don’t, and open the app, this is the prompt you’ll receive.

Disguised request for admin permissions

Update patch installation

That “Continue” button? It’s obfuscating a request for device administrator permissions. (A very big flaw, indeed.) And if you click to continue, SLocker will use its newly acquired admin privileges to launch its extortion scheme.

FBI-themed ransomware.

Slocker's FBI Warning

Slocker's FBI Warning

Slocker's FBI Warning

The FBI apparently accepts “PayPal My Cash” to pay the fine extortion.

PayPal My Cash

In its effort to intimidate the victim, SLocker takes a forward facing photo.

This example is pointed towards the ceiling above Zimry’s desk.

Slocker tries to take a picture.

And a PRISM logo is thrown in for good measure.

FBI Mission: PRISM

It’s worth mentioning at this point that it seems surprisingly easy to grant administrator rights to Android applications. Apple’s iOS requires a passcode for setting up something such as basic as a VPN. But Android only requires a simple “yes” to a prompt for administrator rights.

A good best computer security practice is to run as “user” from a restricted profile which limits installations. Applications seeking administrator rights then need to be installed from the “admin” profile and require a passcode. So we attempted to configure a restricted profile for ordinary use but found it difficult to manage. Android’s restricted profiles are designed for and focus on parental control and tablets. Setting up an additional profile on our test phone didn’t really result in the sort of device management we wanted. It only created an additional profile, not a restricted one.

By comparison, Apple’s iOS Restrictions are much more useful even for the primary device user.

But now…

How does Android Marshmallow fare against SLocker?

Good news! SLocker’s “continue” obfuscation fails on a phone running Marshmallow and so you’ll see just what giving administrator rights entails. It’s bad. The power to erase all data, to change the screen lock, and to set storage encryption. In other words, if you give SLocker administrators rights… you’re done. If the phone’s data isn’t backed up, there’s no getting it back other than giving into the extortioners.

Activate Device Administrator

But then the bad news: Android Marshmallow was released on October 5th and isn’t yet prevalent. So SLocker likely has a viable attack vector for quite some time to come.

Hashes:

0f25cefa85a0822a08ad23caca24a622fbf4aef0
12dc90592c1945fe647d04902b2707e756e88037
25311dfbc4961a661494a2767d2fb74c532539cc
68e7879074b9e2635d895616d4862383fe5960db
84b541957d7e42b4b7d95763fb48d03fcca21ffd
c0784e974da5b7e82e9921763f957e1f3ec024e7

 

Analysis of  Trojan:Android/Slocker.BJ provided by Zimry Ong.



Articles with similar Tags