Trend Micro Incorporated a cyber security solution detected a new variant of mobile ransomware SLocker, notable for being an Android file-encrypting ransomware. This particular SLocker variant is the first mobile ransomware to capitalise on the success of the previous WannaCry outbreak and copies it’s GUI.
This ransomware disguises itself as game guides, video players, and so on in order to lure users into installing it. When the ransomware is installed, it will check whether it has been run before. If it is not, it will generate a random number and store it in SharedPreferences, which is where persistent application data is saved. Then it will locate the device’s external storage directory and start a new thread. Once the ransomware runs, the app will change the icon and name, along with the wallpaper of the infected device. The ransomware announces a disabled activity. It then changes its icon by disabling the original activity and enabling the alias.
The original sample captured by Trend Micro was named ‘King of Glory Auxiliary’, which was disguised as a cheating tool for the game King of Glory. When installed, it has a similar appearance to WannaCry, which has already inspired a few imitators. Trend Micro observed that the ransomware avoids encrypting system files, focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos).
When a file that meets all the requirements is found, the thread will use ExecutorService to run a new task. Once the file has been encrypted, a suffix will be added to the file name. The suffix contains a QQ number and the random number used to generate the cipher. The ransomware presents victims with three options to pay the ransom, but in the sample analysed by Trend Micro, all three led to same QR code that asks the victims to pay via QQ (a popular Chinese mobile payment service). If victims refuse to pay after three days, then the ransom price will be raised. It threatens to delete all files after a week.
The ransomware tells victims that a decrypt key will be sent after the ransom has been paid. Trend Micro analysed and found that if victims input the key and click the Decrypt button, the ransomware will compare the key input with the value in MainActivity.m. But after tracking MainActivity.m, they found that the value is actually the previously mentioned random number plus 520. Using that as the key and clicking on the Decrypt button will decrypt the files.
The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom. After laying low for a few years, it had a sudden resurgence last May. Shortly after details about the ransomware surfaced, decrypt tools were published. After the initial ransomware was exposed, more and more variants appeared. Five days after its initial detection, a suspect supposedly responsible for the ransomware was arrested by the Chinese police. Luckily, due to the limited transmission channels (it was spread mostly through forums like QQ groups and Bulletin Board Systems), the number of victims was very low. However, the proliferation of new variants so quickly after the first one shows that these malicious actors are not slowing down. Even though a suspect was caught, more advanced ransomware may be just around the corner.