Update: Android Ransomwares, The Escalated Battle

— Trustlook Research Team

Malware packages are designed to download and execute files without user’s consent. In order to reduce the amount of data necessary for the download, the developer keeps the item a minimal size. Most developed malware have constrained operating systems and can only download specific files. The research package, discovered and detected by Trustlook, can be identified as having the following characteristics:

  • MD5: 5229453ADF4EA45C3D8AED4CBE38563E
  • SHA256: 809e5a2def3540e2fe204f39fc32600b2672b3de41d829432edc6f5a46f0ccd0
  • Size: 57943 bytes
  • App name: Flash Player Update
  • Package name: com.googleservice.play.critical

The package icon is:

Screen Shot 2016-06-13 at 11.54.25 AM

Compared to the normal app, this app can accept various remote instructions from the attacker to download malicious apps or components.

In VirusTotal among 57 antivirus vendors, only 3 vendors detected them when initially submitted.

Screen Shot 2016-06-13 at 11.54.39 AM

The app appears to be written in a way to trick users into believe it is a legitimate app. After installation, the app removes its icon to hide itself from the user.

Screen Shot 2016-06-13 at 11.55.00 AM


The app communicates with a remote server and sends out some personal information:

Screen Shot 2016-06-13 at 11.55.17 AM

The following code snippets demonstrate the above behaviors:

Screen Shot 2016-06-13 at 11.55.33 AM

Furthermore, the malware creates a SQL database to maintain the received tasks from from the C&C server. These methods include:

  • getNext  // get next task
  • getTaskByPackage  // get task by package id
  • updateTryCount  // update count
  • insert  // insert task
  • remove // remove task

The malware checks for if the phone is rooted by searching for “su” file and downloads/installs apk accordingly.

Screen Shot 2016-06-13 at 11.55.50 AM

If an HTML file is received, the malware will show the web page instead of install the file:

Screen Shot 2016-06-13 at 11.56.02 AM

As seen in the HOST string in the captured traffic shown earlier, the malware most likely targets the Russian smartphone users. The following code snippets also demonstrate the malware checks for the country code:

Screen Shot 2016-06-13 at 11.56.13 AM

The IP of the C&C server “loaddik.ru” is located in Ukraine and was registered on 2016-05-10:


Screen Shot 2016-06-13 at 11.56.23 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s