New singular Android Ransomware relies on the XMPP protocol

Pierluigi Paganini September 04, 2015

A new variant of Android ransomware relies on the instant messaging protocol XMPP to establish a communication with C&C servers.

According to security researchers at Check Point Software Technologies a new Android ransomware disguised as a video player app implements a method of communication different from any other similar threat.

This Android ransomware is different from any other for the use of the instant messaging protocol XMPP (Extensible Messaging and Presence Protocol) to establish a communication with C&C servers.

“Our Ransomware sample takes a different approach for its communications. It uses a common instant messaging protocol called XMPP (Extensible Messaging and Presence Protocol) to send information from the infected device and to receive commands such as encrypt user files with a given key encryption, send an SMS, call a phone number, etc.” states a report published Check Point. “Using XMPP makes it much more difficult for security devices to trace the malware C&C traffic as well as distinguish it from other legitimate XMPP traffic. It is also makes it impossible to block traffic by monitoring for suspicious URLs. Furthermore, as this technique uses external library functions to handle the communication, the malware does not require any additional application to be installed on the device. As XMPP supports TLS, the communication between the client and the server is also natively encrypted.”

The infection starts when victims download a supposed Flash Player app, then when they approve the installation and agree the requested permissions, the ransomware encrypts all the data on the mobile device.

The Android ransom displays victims a message purporting to be from the National Security Agency, the text warns users about copyright violations and threats of fines being tripled if victims don’t pay the ransom within 48 hours. It is not the first time that crooks abuse of the NSA message in their social engineering tactic, the mobile ransomware Koler and Simplocker.

ANDROID RANSOMWARE NSA

The researchers have already identified dozens of XMPP accounts used to control the Android ransomware that were already suspended.

“During our campaign research, we discovered dozens of XMPP C&C accounts related to this infection. Over the past few weeks we’ve informed the relevant XMPP server operators, and those accounts have been suspended. This action will effectively disrupt the communications of any currently infected clients and prevent the malware authors from controlling these devices. In addition, the files on any machines newly infected with these samples should be safe, as the malware won’t be able to effectively encrypt the files without the C&C commands. Unfortunately, new samples from this campaign are still appearing almost every day.” states the report

The majority of infection is in the United States, followed by Asia, tens of thousands of devices could be infected and to date and according Check Point nearly 10 percent of the victims have paid the fee requested by cyber criminals. The ransom range from between $200 and $500.

ANDROID RANSOMWARE

The experts noticed that crooks crafted ransom messages based on the victim’s geographic location, making more credible the NSA message.

Give a look to the report, it is full of detailed information on the singular Android ransomware, including indicators of compromise.

Pierluigi Paganini

(Security Affairs – Android Ransomware, malware)



you might also like

leave a comment