SimCountryIso

1. Найдите ближайший терминал.

2. Подойдите к терминалу и выберете пополнение счета

3. Введите номер телефона +380685815686 и нажмите далее

4. Вставьте деньги в купюроприемник и нажмите оплатить

5. В течении 180 минут после поступления платежа ваш телефон будет разблокирован.

ВНИМАНИЕ: Попытки разблокировать телефон самостоятельно приведут:

К полной блокировке вашего телефона и потери всей важной информации(фотографии, видео, музыка).

Без дальнейшей возможности разблокирования и восстановления данных.





ExecutorService

BOOT_COMPLETED

. It's an Intent, which is

when any new set of packages becomes

, e.g. when user installs an app. This probably prevents user from changing the app context, but it's just a guess.

Summary

First things first. The app pretends to be a NFS Hot Pursuit Android game, straight from the EA. Both the app name and the icon look like a legitimate game. However, upon running, it displays a screen with an information that your phone has been blocked due to the fact that the user watched child pornography. The ransomware targets both Russians and Ukrainians and has text in both languages. The code below checks whether theis equal to "ua" and changes the displayed text accordingly.The "fine" that has to be paid is equal to either 100 hryvnia (8 dollars!) or 500 ruble (~ 13 USD). The fine has to be paid by either the QIWI VISA WALLET, which is a kind of prepaid wallet popular in Russia or by (and this is the fun part) adding funds to a prepaid phone! There is an instruction included on how to add funds to that phone. This instruction is provided below. I don't know either Ukrainian or Russian, but I used Google Translate and so can you!What is also quite interesting is that the number above is provided in plaintext, while the Russian number is encrypted inside the code. So how does the locking actually work? It's plain and simple. First, we set up anand call thefunction. Every second an activity is run. This activity is responsible for displaying the ransom demand above.The second scheduled task checks a URL address. It does so by sending a randomly generated number with device ID using a GET request. If it receives a 200 response code it sets a "STOPE" flag and the application is harmless. That's the whole "protocol".As for the persistence methods it just uses theintent to start the activity. It also uses a WakeLock to ensure that the user does not switch off the device. The fun part is the use of the ACTION_EXTERNAL_APPLICATIONS_AVAILABLE broadcastavailable