Android ransomware variants created directly on mobile devices

Share this…

Attackers used legitimate tools on mobile devices to create variants of Android.Lockdroid.E. Symantec has seen several variants of a known ransomware family (Android.Lockdroid.E) that were developed on Android devices using the Android integrated development environment (AIDE). The surge in adoption of these new development techniques has been limited to a small subset of Android ransomware groups. However, the ability to create malware on mobile devices may open up new avenues in the future creation of malware.

Rapid application development
As the techniques used to create new ransomware threats on mobile devices are relatively new, a bit of explanation is in order. These ransomware threats were created using the rapid application development (RAD) model of software development. This method is typically used for software that requires rapid prototyping and is driven by user interface requirements. This is a particularly suitable way to develop mobile applications because of their reliance on a strong graphical user interface (GUI).

RAD utilizes GUI builders that can make it easier to build applications because of their drag-and-drop wizard functionality, which can be used to build the interface and app. Integrated development environments (IDEs), another integral part of the RAD model, help developers to rapidly build an application by automatically generating boiler-plate code. These functions make it easier for developers, and in this case, attackers, to rapidly create software without worrying too much about planning and design.

Developing ransomware on mobile devices
Usually, the tools required to build Android apps are computer-based software. That means, in order to use them to build Android apps, the developer will need a computer, which is the most common practice when it comes to app development. In this specific case, attackers have used an IDE to design, build, implement, modify, and sign variants of Android.Lockdroid.E directly on mobile devices. These variants contain code remnants indicating that they were developed using AIDE (it should be noted that AIDE is not malicious; it is a legitimate learning platform that can be used to develop mobile apps directly on an Android device).

Why use AIDE to develop ransomware?
Attackers can take advantage of the flexibility, ability to modify the code quickly, and mobility that AIDE provides when creating their ransomware variants. For example, an inexperienced developer, who just wants to create a new variant from existing code, can modify only a few lines of the code directly on the device (such as the hard-coded email ID or password) and create a new variant. Similarly, an experienced malware author could use the software to create ransomware on the go, while commuting for example, without the need for a laptop.

Mobile-developed ransomware in the wild
The variants of Lockdroid.E that we observed have targeted Chinese speakers and have been spread through spam emails or browser hijackers that were already installed on devices.

Lockdroid.E functions like typical ransomware that locks the victim’s screen. Once a variant is installed on the mobile device, it creates a type of window (as shown in the following Figure) on top of the compromised device’s user interface. The malware then tells the user that if they want to unlock their device, they need to contact the attacker through the instant messaging service QQ. The victim may then be asked to pay a ransom in order to unlock their device.

Figure. Message on lock screen asks user to contact the attacker through QQ

In this case, the code needed to unlock the device screen is hard-coded within a variable of the malware’s code. The attacker’s QQ ID is hard-coded in another variable. Novice attackers have been using AIDE to modify the values for these variables to point to different QQ IDs and unlock codes. Using AIDE allows the attackers to use their Android devices as development platforms to quickly and easily create new variants in this way. However, their inexperience shows, as during some of the modification attempts the rookie developers made several editing errors which resulted in corrupted samples.

Manipulating the existing code to create newer variants with different configurations is nothing new from a traditional malware development practice. However, the adoption of RAD methodology shows how attackers are attempting to find quicker, more flexible ways to create malware.

To protect against the threats discussed in this blog, Symantec recommends the following security best practices:

  • Keep your software and operating system up to date
  • Do not install apps from unfamiliar or untrusted sources
  • Pay close attention to the permissions requested by mobile apps
  • Back up your device frequently
  • Install a suitable mobile security app, such as Norton Mobile Security, in order to protect your device and data