Most prevalent Android ransomware in the West arrives in Japan

Android.Lockdroid ransomware expands to Asia by targeting Japan first. The malware poses as a system update and locks the device from use. One of the most prevalent Android ransomware threats in the West has now expanded to Asia, choosing Japan as its first target. This Android.Lockdroid campaign began in March 11 and poses as a system update. Once the ransomware detects that it’s installed on a device in Japan, it displays the ransom message in Japanese. This is the first time that we have seen mobile ransomware for Western users displaying any Asian language.

Figure 1. Recent Android.Lockdroid variants target Western regions and Japan

If the ransomware arrives on the phone, it requests device administrator features and locks the device from use. In many attacks, users need to perform a factory reset to restore their device.

Distributing Android.Lockdroid
For most cases, Android.Lockdroid needs to be manually downloaded from adult sites to infect devices. It could also automatically arrive on the device when the user clicks on links, many of which are advertising, on these websites.

Figure 2. Adult website distributing the app

The malware may pose as a pornographic video app and try to trick users into installing it. Some variants pretend to be system updates and attempt to deceive users into believing that a patch is required for their operating system. The March 11 campaign mainly distributes the system update variants.

Figure 3. Android.Lockdroid disguises itself as adult video apps or system updates

Tailoring ransom warnings for different regions
During the installation process, the app asks the user to activate device administrator features. If the user does this, then the ransomware can prevent its removal, even when the operating system is booted into safe mode.

These particular Android.Lockdroid variants wait 30 minutes or longer until they begin their activity. This is because the malware doesn’t want the user to suspect that the app they’ve just installed is the culprit. If the device is not connected to the internet or is having difficulty reaching its command and control (C&C) servers, then the Trojan may display a message asking the user to try the app again at a later time.

Figure 4. Message shown when the app can’t connect to the server

Once the malware has access to C&C servers, it uploads device information to determine the phone’s language. If the server finds that the app is on a Japanese device, it pushes out a ransom message localized for Japanese users. If the user is located in the US, the app displays the warning in English, while users in Europe receive notices in their own languages. If the ransomware does not have a ransom message for the user’s region, then the server sends the message in English, purporting to be from Interpol.

Figure 5. The language of the messages vary by region

During our investigation, there were no messages localized for Asian regions apart from Japan. Symantec confirmed this to be the case for China, Hong Kong, India, Malaysia, South Korea, Singapore, and Thailand. For these regions, the Interpol message was displayed. Based on this analysis, we can conclude that the attackers are currently testing their threat in Asia by first targeting Japanese users.

Scare tactics
In all languages, the ransom message states that law enforcement has locked the device because the user has viewed or stored illegal pornography on the device. The warning asks the user to pay a fine to unlock the device.

The app also attempts to take a picture of the victim using the device’s front camera. The threat displays the photo as part of the ransom warning, along with other data gathered from the device such as the IP address, region, device model, OS version, and the name of the user. This strategy aims to scare the user into paying the ransom.

As with past Android.Lockdroid campaigns, the latest variants ask the user to pay the fine using an iTunes card. The cost is either 10,000 yen, US$100, or €100, depending where the victim is located.

Figure 6. Android.Lockdroid variants’ ransom screen with user images (left) and its payment request screen (right)

Mitigation
It was only a matter of time before mobile ransomware expanded into Asia, as this was the case for ransomware for PCs. We expect to see more Android ransomware campaigns targeting this continent.

Users can attempt to remove Android.Lockdroid in safe mode. Note that the name of the app on the device may be different from the one listed in Android’s settings. However, in cases where the malware has device administrator features, it can prevent users from doing this, meaning that the phone can only be restored through a factory reset.

The following measures are also recommended to help users to protect their devices against Android.Lockdroid:

Use a comprehensive security solution such as Symantec Mobility or Norton Mobile Security to protect against mobile threats
Only install apps from trusted sources
Pay close attention to the permissions requested by mobile apps
Back up your device frequently
Keep software up to date

Protection
Symantec and Norton products have the following detections for the Android.Lockdroid variants seen in this campaign:

Android.Lockdroid.E
Android.Lockdroid.H

The following list includes the MD5s for the .apks analyzed in this blog:

05a9fe032c557852df14be9c24e145bb
0be58a6dedbff9a2d08861acddd9ecf8
150171ee9bdace16028db879dc312a38
2edaf9b9dc0918dadc8ddfcedf49ca0f
3d846a285f70cc881fb59500a259bd17
432d6910a334f2dd4a17dcd5a513c374
47e1285eb9d63d6092ac1e4d3f8944ea
4bbafb6d3ae5f562b6a6b742cd25a5e6
5d7405d140b3607e5aef0418b0a3e6fe
684d849b6c1538946f55ddb800cf654d
716140c878595dca1c447e2a4d59ffaa
7f16f02a4091d0d70ce0726c7323f654
9a28af9abec460af199713a6b99e6154
9aefe49b536f13400d4669bc9051074f
9b2dee1d3d0f18f25048be5a84e7ec6f
9d2003315ce87f89a38fe5ba8dfcc113
b307dbfbda494b98fc75762077a3f9bc
b495bd826e3414cb1cf1701d090aca3a
b5689dbf26452811e97b3a1c877a4f02
bad492bb6ebc5bee77d33529371b4cef
bba6b9b0c656507e0a9ca2c715d75bea
bf35624f3f004606801f40ef1b5a7122
c720f02f55839fddc580dc934df918b6
f1015fa58b8a42e19749667d339002fc

Source:https://www.symantec.com/

Alisa Esage G

Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.

Most prevalent Android ransomware in the West arrives in Japan

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems

The API Security Checklist: 10 strategies to keep API integrations secure

11 ways of hacking into ChatGpt like Generative AI systems

How to send spoof emails from domains that have SPF and DKIM protections?

Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

TunnelCrack: Two serious vulnerabilities in VPNs discovered, had been dormant since 1996

How to easily hack TP-Link Archer AX21 Wi-Fi router

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]

Compromising Cryptographic Key Security Through PuTTY: A Deep Dive into CVE-2024-31497

How to hack a LG Smart TV via vulnerabilities in LG WebOS?

How to Check if a Linux Distribution is Compromised by the XZ Utils Backdoor in 6 Steps

CVE-2023-5528: Kubernetes Flaw Jeopardizing Windows Node That Can’t Be Ignored

Hacking Debian, Ubuntu, Redhat& Fedora servers using a single vulnerability in 2024

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

Web-Based PLC Malware: A New Technique to Hack Industrial Control Systems

The API Security Checklist: 10 strategies to keep API integrations secure

11 ways of hacking into ChatGpt like Generative AI systems

How to send spoof emails from domains that have SPF and DKIM protections?

Silent Email Attack CVE-2023-35628 : How to Hack Without an Email Click in Outlook

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

Is Your etcd an Open Door for Cyber Attacks? How to Secure Your Kubernetes Clusters & Nodes

CVSS 4.0 Explained: From Complexity to Clarity in Vulnerability Assessment

Major Python Infrastructure Breach – Over 170K Users Compromised. How Safe Is Your Code?

How to exploit Windows Defender Antivirus to infect a device with malware

Inside the Scam: How Ransomware Gangs Fool You with Data Deletion Lies!

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks

Cyber Security Channel

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]