SLocker Versus Marshmallow

Android ransomware SLocker recently began taking advantage of Android Lollipop flaws in a very serious (and devious) way. But how does SLocker fare against Android Marshmallow?

First, let’s take look at SLocker versus Lollipop.

Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”.

Porn Droid app

Typically all-too-common sorts of overreaching permissions are requested.

PornPro app permissions

So that’s a small social engineering barrier at best.

PornPro permissions continued

If you have a good security app installed, you’ll see something such as this.

This app contains a virus

But if you don’t, and open the app, this is the prompt you’ll receive.

Disguised request for admin permissions

Update patch installation

That “Continue” button? It’s obfuscating a request for device administrator permissions. (A very big flaw, indeed.) And if you click to continue, SLocker will use its newly acquired admin privileges to launch its extortion scheme.

FBI-themed ransomware.

Slocker's FBI Warning

Slocker's FBI Warning

Slocker's FBI Warning

The FBI apparently accepts “PayPal My Cash” to pay the fine extortion.

PayPal My Cash

In its effort to intimidate the victim, SLocker takes a forward facing photo.

This example is pointed towards the ceiling above Zimry’s desk.

Slocker tries to take a picture.

And a PRISM logo is thrown in for good measure.

FBI Mission: PRISM

It’s worth mentioning at this point that it seems surprisingly easy to grant administrator rights to Android applications. Apple’s iOS requires a passcode for setting up something such as basic as a VPN. But Android only requires a simple “yes” to a prompt for administrator rights.

A good best computer security practice is to run as “user” from a restricted profile which limits installations. Applications seeking administrator rights then need to be installed from the “admin” profile and require a passcode. So we attempted to configure a restricted profile for ordinary use but found it difficult to manage. Android’s restricted profiles are designed for and focus on parental control and tablets. Setting up an additional profile on our test phone didn’t really result in the sort of device management we wanted. It only created an additional profile, not a restricted one.

By comparison, Apple’s iOS Restrictions are much more useful even for the primary device user.

But now…

How does Android Marshmallow fare against SLocker?

Good news! SLocker’s “continue” obfuscation fails on a phone running Marshmallow and so you’ll see just what giving administrator rights entails. It’s bad. The power to erase all data, to change the screen lock, and to set storage encryption. In other words, if you give SLocker administrators rights… you’re done. If the phone’s data isn’t backed up, there’s no getting it back other than giving into the extortioners.

Activate Device Administrator

But then the bad news: Android Marshmallow was released on October 5th and isn’t yet prevalent. So SLocker likely has a viable attack vector for quite some time to come.




Analysis of  Trojan:Android/Slocker.BJ provided by Zimry Ong.

Articles with similar Tags