New Mobile Ransomware Found That Mimics WannaCry

by CXOtoday News Desk    Jul 11, 2017


A new variant of mobile ransomware-SLocker has been detected which is basically an Android file-encrypting ransomware. This particular SLocker variant is the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak and copies its GUI.

This ransomware disguises itself as game guides, video players, and so on in order to lure users into installing it. When the ransomware is installed, it will check whether it has been run before. If it is not, it will generate a random number and store it in SharedPreferences, which is where persistent application data is saved. Then it will locate the device’s external storage directory and start a new thread. Once the ransomware runs, the app will change the icon and name, along with the wallpaper of the infected device.The ransomware announces a disabled activity. It then changes its icon by disabling the original activity and enabling the alias.

The original sample captured by Trend Micro was named ‘King of Glory Auxiliary’, which was disguised as a cheating tool for the game King of Glory. When installed, it has a similar appearance to WannaCry, which has already inspired a few imitators. Trend Micro observed that the ransomware avoids encrypting system files, focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos), said the security vendor in a statement.

“Compared to the ransomware we have seen before, this ransomware is relatively simple. It is actually quite easy for a security engineer to reverse the ransomware and find a way to decrypt files. To help users keep the information on their mobile device safe, Trend Micro suggests to install apps downloaded from legitimate app stores such as Google Play and be careful about permissions an app asks for, especially permissions that allow the app to read/write on external storage,” says, Nilesh Jain, Country Manager (India and SAARC), Trend Micro

He further added, “It is also important to back up your data regularly—either on another secure device or on cloud storage. Users must install comprehensive antivirus solutions.”

When a file that meets all the requirements is found, the thread will use ExecutorService to run a new task. Once the file has been encrypted, a suffix will be added to the file name. The suffix contains a QQ number and the random number used to generate the cipher. The ransomware presents victims with three options to pay the ransom, but in the sample analysed by Trend Micro, all three led to same QR code that asks the victims to pay via QQ (a popular Chinese mobile payment service). If victims refuse to pay after three days, then the ransom price will be raised and threatens to delete all files after a week.