Check Point’s malware research team has detected a new variant of mobile ransomware that encrypts the content of Android smartphones is putting a new spin on both how it communicates with its masters and how it spurs its victims into action.
“We estimate that tens of thousands of devices have been infected. We have evidence that users have already paid hundreds of thousands of dollars to get their files unencrypted, and the actual infection rate may be much higher. ” the research team posted in its blog.
The updated version of Simplocker masquerades on app stores and download pages as a legitimate application, and uses an open instant messaging protocol to connect to command and control servers.
Now, the phone owner sees a message holding his data hostage. The message, which looks like an official text, is also not a new ruse: the “NSA” allegedly accuses the mobile phone holder of wrong-doings such as browsing to pornographic sites on his phone, or violating copyrights law by holding/using protected content such as video, music, etc. To regain access to his device, he will have to pay a “fine.”
“The victim seems to have no alternative. The app can’t be removed by a regular user. Even if he were somehow able to remove it, his files would still remain encrypted. The ransom payment, however, will probably not reach the NSA but rather make its way to the hands of a cyber-criminal,” the team added.
According to team, while posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools.
XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications.
Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked.
An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server. And these messages can be encrypted using Transport Layer Security (TLS). The messages were pulled from the command and control network by the operators of the scheme via Tor.
The XMPP channel allows a number of other commands to be launched remotely by the malware operators, including sending SMS messages and placing phone calls, as well as re-setting the configuration of the malware’s communications (and the Bitcoin account to be used to submit victims’ payments).
The team observed that ~10% of the users paid between $200 and $500 in ransom to decrypt their files. This means that for every 10k infections, the malware authors raked in $200k-$500k. They say the actual infection rate is probably much higher.