SLocker Versus Marshmallow
2015-10-22

Android ransomware SLocker recently began taking advantage of Android Lollipop flaws in a very serious (and devious) way. But how does SLocker fare against Android Marshmallow?

First, let’s take look at SLocker versus Lollipop.

Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”.

Porn Droid app

Typically all-too-common sorts of overreaching permissions are requested.

PornPro app permissions

So that’s a small social engineering barrier at best.

PornPro permissions continued

If you have a good security app installed, you’ll see something such as this.

This app contains a virus

But if you don’t, and open the app, this is the prompt you’ll receive.

Disguised request for admin permissions

Update patch installation

That “Continue” button? It’s obfuscating a request for device administrator permissions. (A very big flaw, indeed.) And if you click to continue, SLocker will use its newly acquired admin privileges to launch its extortion scheme.

FBI-themed ransomware.

Slocker's FBI Warning

Slocker's FBI Warning

Slocker's FBI Warning

The FBI apparently accepts “PayPal My Cash” to pay the fine extortion.

PayPal My Cash

In its effort to intimidate the victim, SLocker takes a forward facing photo.

This example is pointed towards the ceiling above Zimry’s desk.

Slocker tries to take a picture.

And a PRISM logo is thrown in for good measure.

FBI Mission: PRISM

It’s worth mentioning at this point that it seems surprisingly easy to grant administrator rights to Android applications. Apple’s iOS requires a passcode for setting up something such as basic as a VPN. But Android only requires a simple “yes” to a prompt for administrator rights.

A good best computer security practice is to run as “user” from a restricted profile which limits installations. Applications seeking administrator rights then need to be installed from the “admin” profile and require a passcode. So we attempted to configure a restricted profile for ordinary use but found it difficult to manage. Android’s restricted profiles are designed for and focus on parental control and tablets. Setting up an additional profile on our test phone didn’t really result in the sort of device management we wanted. It only created an additional profile, not a restricted one.

By comparison, Apple’s iOS Restrictions are much more useful even for the primary device user.

But now…

How does Android Marshmallow fare against SLocker?

Good news! SLocker’s “continue” obfuscation fails on a phone running Marshmallow and so you’ll see just what giving administrator rights entails. It’s bad. The power to erase all data, to change the screen lock, and to set storage encryption. In other words, if you give SLocker administrators rights… you’re done. If the phone’s data isn’t backed up, there’s no getting it back other than giving into the extortioners.

Activate Device Administrator

But then the bad news: Android Marshmallow was released on October 5th and isn’t yet prevalent. So SLocker likely has a viable attack vector for quite some time to come.

Hashes:

0f25cefa85a0822a08ad23caca24a622fbf4aef0
12dc90592c1945fe647d04902b2707e756e88037
25311dfbc4961a661494a2767d2fb74c532539cc
68e7879074b9e2635d895616d4862383fe5960db
84b541957d7e42b4b7d95763fb48d03fcca21ffd
c0784e974da5b7e82e9921763f957e1f3ec024e7

 

Analysis of  Trojan:Android/Slocker.BJ provided by Zimry Ong.

Tags:


Articles with similar Tags

Following The Bad Rabbit

On October 24th, media outlets reported on an outbreak of ransomware affecting various organizations in Eastern Europe, mainly in Russia and Ukraine. Identified as “Bad Rabbit”, initial reports about the ransomware drew comparisons with the WannaCry and NotPetya (EternalPetya) attacks from earlier this year. Though F-Secure hasn’t yet received any reports of infections from our […]
2017-10-26

How EternalPetya Encrypts Files In User Mode

On Thursday of last week (June 29th 2017), just after writing about EternalPetya, we discovered that the user-mode file encryption-decryption mechanism would be functional, provided a victim could obtain the correct key from the malware’s author. Here’s a description of how that mechanism works. EternalPetya malware uses the standard Win32 crypto API to encrypt data. […]
2017-07-04

What Good Is A Not For Profit (Eternal) Petya?

Following up on our post from yesterday, as an intellectual thought experiment, let’s take the position that there’s something to the idea of (Eternal) Petya not being motivated by money/profit. Let’s also just go ahead and imagine that it’s been developed by a nation state. In my mind, it raises the following question: WTF WHY? […]
2017-06-30

(Eternal) Petya From A Developer’s Perspective

In our previous post about Petya, we speculated that the short-cuts, design flaws, and non-functional mechanisms observed in the  malware could have arisen due to it being developed under a tight deadline. I’d now like to elaborate a little on what we meant by that. As a recap, this is what the latest version of Petya […]
2017-06-30

Petya: “I Want To Believe”

There’s been a lot of speculation and conjecture around this “Petya” outbreak. A great deal of it seems to have been fueled by confirmation bias (to us, at least). Many things about this malware don’t add up (at first glance). But it wouldn’t be the first time that’s happened. And yet everyone seems to have […]
2017-06-29

WannaCry, Party Like It’s 2003

Let’s take a moment to collect what we know about WannaCry (W32/WCry) and what we can learn from it. When looked at from a technical perspective, WCry (in its two binary components) has the following properties. Comprised of two Windows binaries. mssecsvc.exe: a worm that handles spreading and drops the payload. tasksche.exe: a ransomware trojan […]
2017-05-15

WCry: Knowns And Unknowns

WCry, WannaCry, Wana Decrypt0r. I’m sure at this point you’ve heard something about what the industry has dubbed the largest crypto ransomware outbreak in history. Following its debut yesterday afternoon, a lot of facts have been flying around. Here’s what we know, and don’t know. WCry has currently made a measly $25,000 They now made […]
2017-05-13

Ransomware Timeline: 2010 – 2017

I’ve seen numerous compliments for this graphic by Micke, so… here’s a high-res version. Enjoy! Source: State of Cyber Security 2017
2017-04-18

Apple, Google, And The CIA

Apple and Google have issued statements to the media regarding WikiLeaks’ March 7th publication of CIA documents. Here’s Apple’s statement via BuzzFeed News. According to Apple, its “products and software are designed to quickly get security updates” to its customers. So, just how well does that statement hold up to what we see in-the-wild? Well, […]
2017-03-09

Bitcoin Friction Is Ransomware’s Only Constraint

In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (spora.biz, spora.bz, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) […]
2017-02-22