May 10, 2014


Ransom, fake warnings from the FBI, and phone locking

GroDDViewer graphs:


This malware infects android phone when the user is browsing on the Web. He believe downloading an honest application (a video player for instance) but the user gets an undesired application on his device. Once installed, the ransomware requests full network access, permission to run at startup and permission to prevent the phone from sleeping. The granted access allows the ransomware to take control of the device. The full network access allows the malicious app to communicate over the web and download the ransom message that is shown on the captive device. The permission to run at startup and prevent the phone from sleeping fully lockdown the phone, preventing victims from escaping the ransom message. The ransomware localizes fake government messages, depending on the users GPS location, accusing them of having viewed and downloaded inappropriate and illegal content. The ransomware demands ransom of course! The ransom to regain access to the device including all of its apps, which it claims are all encrypted, is set at around $300 and is to be paid through untraceable forms of payment such as MoneyPak.

Other resources


Start application : a fake warnings from the FBI or other law enforcement agencies tells the victim that he has been found to have visited illegal sites containing child pornography and must pay a fine


Malware type :

Attacks :

Infection technique :

Malicious code type :

Hidding techniques :

Triggering techniques :


Java source code extracts: