During our routine threat research, the Cyble Research team came across a malicious app from a Twitter post. Our team collected the sample APK file and performed a thorough analysis through which we were able to identify that this application is a ransomware variant.
Upon further analysis, we found that the app can be categorized as a variant of the Android-Locker ransomware, which operates by locking Android devices and demanding ransom from the victim in exchange for unlocking it.
Figure 1: Fake Security App
We also learned that the attacker uses a web-hosted server to distribute this ransomware variant. The server URL impersonates a Google Play Store URL, tricking the users into downloading the app.
According to Open-Source Intelligence (OSINT), users are tricked into installing this application through various social engineering or phishing techniques that infect the victim device.
The attacker is leveraging the sideloading feature, which is used to install applications from sources other than the official Google Play Store.
Our analysis found that the malicious app asks for dangerous permissions such as ACCESSIBILITY and DEVICE_ADMIN to take control of the device. This Android locker malware app blocks the user from using the device and demands a ransom of $25 to unlock the device.
We performed a detailed analysis of the malware, which has been discussed below.
Our analysis of the ransomware APK file showed the following results.
APK Metadata Information:
- App Name: Butewoorse Hacker
- Package Name: com. device.security
Based on our metadata analysis, we found that the application has dangerous permissions that are used to control the device. These are:
Based on these permissions, the application can take control of the device. However, it cannot access or modify the storage files – something that is typically done by ransomware.
Based on further investigation of the APK, we have found additional details on the behavior of the malicious application, as listed below.
The malware asks for BIND_DEVICE_ADMIN and ACCESSIBILITY permissions at the start.
Figure 2: App asking for Admin and ACCESSIBILITY permissions
The BIND_DEVICE_ADMIN permission allows the app to take control of the user’s activities. This permission also prevents the user from uninstalling the app. ACCESSIBILITY is a feature that was introduced to enable users with disabilities to interact with the device.
The ransomware uses these permissions to control and block the user from interacting with the device.
The application also requests the IGNORE_BATTERY_OPTIMIZATION permission. The Android-Locker malware uses this permission to prevent it from being shut down by the Battery Optimization feature in Android.
The figure below depicts the code that runs the malware in the background with the help of the BATTERY_OPTIMIZATION permission.
Figure 3: Code to run the services in the background all the time
The application blocks the user from entering the Settings page. When the user tries to open the default settings app, the malware opens the ransom note instead. The same is shown in the figure below.
Figure 4: Code to block the user from accessing the settings page
We also found that the malware is constantly monitoring applications by running as a background service on the device. This is to keep an eye on new applications such as anti-virus or other security apps that can threaten the existence of the ransomware on the device. When the user installs any kind of security applications like anti-malware, anti-virus, etc., the ransomware blocks the user from using the security apps, as shown in the image below.
Figure 5: Code to monitor the applications installed on the device
From our dynamic analysis, we also found that the malware removes the icon on the device’s home screen to hide its presence, as shown in the figure below.
Figure 6: Hides app’s icon
We also observed that the malware blocks the user from using the device altogether. It displays the ransom note when the user tries to open other applications on the device, as shown in the below figure.
Figure 7: Ransom note showed by the malware
The ransom note is in Indonesian, and upon translation, the note states:
“THIS PHONE IS BLOCKED! Mobile phones are blocked for accessing illegal content, this community has been closed for a long time due to the harmful content in it, for those who access this community, all contact data, images and storage files have been uploaded to the server. The accessor will also be confiscated from running the device’s activities and will be destroyed within 50 hours. means you have to unlock the phone within 50 hours, if it exceeds that time limit, your phone will be dead forever. HOW TO OPEN THE PHONE? The phone can be unlocked by typing the code below correctly. don’t try any code, if you type the wrong code up to 15X, the phone will not turn on again. HERE IS THE ANSWER You pay me 25$ (Rp.350.000) I will give you the Decrypt code. check on Web Designius for payment methods. Contact Email: firstname.lastname@example.org or Telegram: @lizardt_squad to pay and get the code. ONLY THE ABOVE CONTACTS CAN UNLOCK THE DECRYPT KEY”
The malware only allows the user to interact with the whitelisted apps, as shown in the below figure.
Figure 8: Code which shows the whitelisted apps.
We also found a PIN hardcode in the APK file that can be used to unlock the device.
Hardcoded PIN: 0812308208744
A publicly available URL was found in the app. Through this, the attacker gives the users the option to pay the ransom via PayPal with the following details in Indonesian.
The translated content in Pastebin is:
“1. create an account at www.paypal[.]com
2. register a paypal account or login if you already have one
3. buy paypal balance if the wallet is empty $0
4. Go to hxxps://paypal[.]me/lizardsquads?locale.x=id_ID and select send
5. send a balance of 25$
6. After the transaction is complete, send proof of payment to my email or telegram address.
7. Wait until I answer.”
Pastebin URL: hxxps://pastebin[.]com/d0bYqCMc
Our analysis indicated that the hardcoded strings in the APK and the string messages shown to the victim are written in Indonesian. The currency mentioned in the ransom note is Indonesian as well. Based on these indicators, we suspect that the attacker is targeting Indonesian citizens.
Attackers are continuing to use phishing techniques to target unsuspecting users and tricking them into installing malicious applications. One of the best methods to prevent these malicious apps from entering your device is by installing apps only from trusted and registered app stores. The malware can only infect the device through the sideloading feature, which only the user can enable.
We’ve listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow these suggestions given below:
- If you find this malware in your device, uninstall it immediately.
- Use the shared IoCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your system and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from trusted sites.
- Verify the privileges and permissions requested by apps before granting them access.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1406 |
|Obfuscated Files or Information |
|Discovery||T1421||System Network Connections Discovery|
|Collection||T1507||Network Information Discovery|
|Command and Control||T1571||Non-Standard Port|
|Impact||T1447||Delete Device Data|
Indicators of Compromise (IoCs):
|488ace5b609f5a04530d06c5c5c9efce9dd7fd714f03a533c4fc7d18311ec324||SHA256||Hash of the sample|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.