A new version of Ransomware is being discovered recently that target the Android Mobile Users.
This new variant of ransomware that encrypts the data of Android smart-phones is laying a new turn on both how it corresponds with its masters and how it lure its victims into action. The new updated version of "Simplocker" disguised itself on app stores and download pages as a appropriate application, and uses an open im i.e. (instant messaging) protocol to connect to C&C server i.e. command and control servers.
The ransomware requests an administrative permissions to lay it hands deep into Android root. Once it's installed, it call itself to victims by stating them it was implanted by the NSA—and so to get their files back, they'll have to pay a "fine."
Ofer Caspi of Check Point's malware research team wrote in a post that the team has "evidence that users have already paid thousands of bucks to have their files "unencrypted" by this new variant of ransomware. He further stated that the number of infected devices so far is in the tens of thousands. Because of the powerful encryption used the ransomware can't be easily removed once it is installed, and so the victims have no choice but to either pay $500 to get their data decrypted or to get their data deleted and start from scratch.
While acting as a legal or governmental authority to intimidate the victim into paying up isn't new, the utilization of XMPP, the instant messaging protocol used by Jabber and previously by GTalk, is a new tactics to evade detection by anti-malware tools.
XMPP communication makes it more harder for security and anti-malware tools to catch the ransomware before it can communicate with its C&C network because it conceals the communication in a way that looks like normal im communications.
Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked. An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the C&C server through a legitimate messaging relay server. And these messages can be encrypted using TLS-Transport Layer Security. The messages were pulled from the C&C network by the operators of the scheme via Onion network "Tor".
Check Point researchers were able to tap into its XMPP communications channel, by reverse-engineering a sample of the malware,
"During our inspection, we successfully gained thousands of XMPP messages sent between the C&C servers and the victim mobile devices," Caspi wrote. "After breaking the obfuscation scheme implemented in these messages, we were able to read most of the message & its contents.
We also observed that about 10% of the users paid the ransom to decrypt their files. This means that for every 10k infections, the malware authors raked in $200k-$500k. As our investigation is incomplete and the actual infection rate can be much higher."
The malware also had localized versions of its ransom demands for Saudi Arabia, the United Arab Emirates, and Iran, each using appropriately themed faked warnings from those countries' governments to victims.
Check Point team has informed that the operators of the XMPP relay servers being used by the ransomware, providing details that will allow those service providers to block traffic that provides the malware with the encryption keys needed to launch an attack. However, new versions of the malware "are still appearing almost every day," Caspi warned.
