Blog

Bajrang Mane
Android ransomware demands iTunes gift cards as a ransom – an analysis by Quick Heal Security Labs
December 12, 2017

Typically, a ransomware will demand money or cryptocurrency after it has locked down your computer or phone or encrypted its data. But, Quick Heal Security Labs has spotted an Android ransomware that demands iTunes gift cards after it locks down the infected device. These gift cards can be sold on auction sites, social media or on the dark web.

Infection vector

Your Android device can get infected with this ransomware if you download a malicious app (that goes by the name ‘Porn Hub’) on third-party app stores or by receiving the app via electronic transfer mediums (Bluetooth, emails, file sharing sites, etc.)

Analysis of Porn Hub app ransomware

AppName: Porn Hub
Package name: com.pornhub_tools
MD5: 9fadc90562ce6e275eb6db8e6ca6ddad
Size: 39KB

After the ransomware locks down your device, it displays a ransom note where it demands a ransom of an iTunes gifts card worth $200 as a penalty for watching child pornography. An URL is displayed in the ransom note (fig 1). This happens if your device is connected to the Internet.

Fig 1.

If your device is not connected to the Internet, the ransom note displays a different message. In this one, it says that all your files have been encrypted and that you must pay a ransom of $100 worth Bitcoins in order to unlock the device and decrypt the data (fig 2).

Fig 2.

In our analysis, however, we found no instances where the infected device’s data is encrypted by this ransomware. Moreover, the malicious app (‘Porn Hub’) does not have any encryption code. This means you can retrieve your personal information by connecting the device to your PC.

Technical Analysis

When we tried opening the malicious app, it asked us to activate the Device Administrator rights. We selected ‘cancel’ but the app kept repeating the same activity until we selected the ‘activate’ option.

Once activated, the app checked if the device is connected to the Internet. When the device was online, the app collected device data such as device ID and sim operator. This data was sent to a certain URL (HTTP://*******.w*n//private/tuk_tuk.php) which loads the webpage demanding the iTunes gift card (fig 1).  And when the device was offline, the app loaded an HTML page demanding Bitcoins (fig 2).

Fig 3. Code snippet for connecting URL or loading HTML page

Here, the URL and HTML page content is encrypted using Base64. The Base64 encoded strings are decoded as shown in fig 4.

Fig 4. This is the same HTML code shown in fig 2

Fig 5. Code snippet of the device’s data collection and URL generation

Analysis of fake Dropbox app ransomware

 AppName: Dropbox
Package name: com.example.testlock
MD5: 17bc088027d2f3f71a74beed3a9c715
Size: 415KB

 Quick Heal Security Labs found another malicious app hiding a ransomware which demands iTunes gift cards as a ransom. This app uses the icon of Dropbox (a famous a file hosting service). When we opened this app, it asked us to activate the Device Administrator rights (fig 6), just like the app we discussed earlier.

Fig 6.

Once activated, the ransomware displays a ransom note claiming that the device has been locked by the Federal Bureau of Investigation (FBI) as a penalty for watching child pornography. To unlock the device, an iTunes gift card worth $25 has to be paid within 72 hours (fig 7).

Fig 7.

The ransom note asks the user to enter an iTunes gift card code of the demanded value. If the user enters a wrong code, a message is displayed saying that the user is now left only with 2 attempts after which the device will be locked permanently (fig 8).

In our analysis, however, we found that the warning is fake and only shown to threaten the user into paying up the ransom.

Fig 8.

Quick Heal Detection

Quick Heal successfully detects both these ransomware as Android.Locker.Aa54f and Android.Locker.Aa550.

It is strongly recommended not to pay any ransom because there is no guarantee that you will get your files back or have your device unlocked even after paying the ransom.

 How to stay safe from Android ransomware

  1. Before downloading any app (even from Google Play), verify its source. Check the developer’s website and reviews on the app.
  2. Avoid downloading apps from third-party app stores. Most malware-infected apps are found on these stores. Download apps only from official app stores such as Google Play.
  3. Always keep ‘Unknown Sources’ disabled. Enabling this option allows installation of apps from unknown sources (third-party). On your device, go to Settings > Security > check for Unknown Sources > Disable it
  4. Install a reliable mobile security app on your phone that can block fake, suspicious and harmful apps.

 Subject Matter Expert
Rupali Parate | Quick Heal Security Labs

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Bajrang Mane
About Bajrang Mane
Bajrang Mane is leading the Threat Analysis, Incident response, and Automation teams in Quick Heal Security Labs. Having spent 13 years in the IT security industry,...
Articles by Bajrang Mane »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image