First, let’s take look at SLocker versus Lollipop.
Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”.
Typically all-too-common sorts of overreaching permissions are requested.
So that’s a small social engineering barrier at best.
If you have a good security app installed, you’ll see something such as this.
But if you don’t, and open the app, this is the prompt you’ll receive.
That “Continue” button? It’s obfuscating a request for device administrator permissions. (A very big flaw, indeed.) And if you click to continue, SLocker will use its newly acquired admin privileges to launch its extortion scheme.
The FBI apparently accepts “PayPal My Cash” to pay the
In its effort to intimidate the victim, SLocker takes a forward facing photo.
This example is pointed towards the ceiling above Zimry’s desk.
And a PRISM logo is thrown in for good measure.
It’s worth mentioning at this point that it seems surprisingly easy to grant administrator rights to Android applications. Apple’s iOS requires a passcode for setting up something such as basic as a VPN. But Android only requires a simple “yes” to a prompt for administrator rights.
A good best computer security practice is to run as “user” from a restricted profile which limits installations. Applications seeking administrator rights then need to be installed from the “admin” profile and require a passcode. So we attempted to configure a restricted profile for ordinary use but found it difficult to manage. Android’s restricted profiles are designed for and focus on parental control and tablets. Setting up an additional profile on our test phone didn’t really result in the sort of device management we wanted. It only created an additional profile, not a restricted one.
By comparison, Apple’s iOS Restrictions are much more useful even for the primary device user.
How does Android Marshmallow fare against SLocker?
Good news! SLocker’s “continue” obfuscation fails on a phone running Marshmallow and so you’ll see just what giving administrator rights entails. It’s bad. The power to erase all data, to change the screen lock, and to set storage encryption. In other words, if you give SLocker administrators rights… you’re done. If the phone’s data isn’t backed up, there’s no getting it back other than giving into the extortioners.
But then the bad news: Android Marshmallow was released on October 5th and isn’t yet prevalent. So SLocker likely has a viable attack vector for quite some time to come.
0f25cefa85a0822a08ad23caca24a622fbf4aef0 12dc90592c1945fe647d04902b2707e756e88037 25311dfbc4961a661494a2767d2fb74c532539cc 68e7879074b9e2635d895616d4862383fe5960db 84b541957d7e42b4b7d95763fb48d03fcca21ffd c0784e974da5b7e82e9921763f957e1f3ec024e7
Analysis of Trojan:Android/Slocker.BJ provided by Zimry Ong.