February 07, 2017
The infamous Lockdroid ransomware has gained a new feature, a banality among desktop malware, but a never-before-seen trick for Android ransomware.
This new feature is the usage of a dropper component that scouts infected devices and then delivers the appropriate ransomware payload, based on the results.
"Droppers" have been around for many years now, and are small-sized malware strains that are tasked with only a small number of features, such as infecting the device, gaining an initial foothold (boot persistence), scanning the local system, and eventually downloading more dangerous and bulkier malware.
Droppers have never been used with Android ransomware
Droppers have been used with banking trojans, backdoors, RATs, ransomware, and in many cyber-espionage and APT campaigns.
On mobile devices, droppers haven't been used as often as on desktops, and only recently, with advanced adware families such as HummingBad, have we seen crooks rely on them more often.
According to security firm Symantec, no Android ransomware family has ever been seen using droppers. This changed over the last few days, when Symantec researchers noticed a new variant of the Lockdroid ransomware (Android.Lockdroid.E) using a dropper.
Lockdroid displays ransom note as 2D barcode
Researchers say that Lockdroid operators hide the dropper in booby-trapped Android apps spread through third-party app stores and download links sent via SMS and forum spam.
If users bite on the crooks' lures and install the malicious apps on their phones, the dropper performs a basic check before taking one of two actions.
Experts say the dropper will check and see if the user's phone is rooted. If the answer to this question is no, the dropper will use the permissions it was already granted to lock the user's screen and request a ransom payment. This ransom payment is displayed as a 2D barcode displayed on the user's screen.
Android Lockdroid ransom screen (via Symantec)
For the second scenario, if the Lockdroid dropper stumbles upon a rooted phone, it will ask the user for administrator rights. The trick to convince users is to tell users they gain access to thousands of pornographic videos if they agree.
Once this happens, the Lockdroid dropper will take advantage of the new root access it just gained to download the actual Lockdroid ransomware, which performs the following actions, setting itself as a core system app.
- Remounts the /system partition
- Copies the embedded APK file for Android.Lockdroid.E contained in the assets folder into /system/app/[THREAT NAME].apk
- Changes the dropped APK file's permission to executable
- Reboots device so the ransomware can run on boot-up as a system application
At this point, the ransomware locks the user's device with the same 2D barcode, but this time around, because the ransomware has admin rights on a rooted device, the screen lock is almost impossible to remove without reflashing the phone (reinstalling the Android OS).
The big problem here is that victims need another phone to scan the barcode shown on their first device. This usually leads to more victims deciding to reflash their device, rather than ask a friend to borrow a phone and risk seeing a pornographic-themed ransom payment on their screen.
During the past few years, Lockdroid has been one of the most active ransomware families known to researchers, even if not that successful.
Nevertheless, this isn't the first time Lockdroid has used novel techniques to go after users, after previously using fake buttons overlaid on top of real ones to trick users into giving it admin rights on older Android versions.