Videoplayer
Summary
Details
Video Player is a ransomware discovered in 2015. It encrypts user’s multimedia files stored, and can send a SMS to the user's contact to ask them to download the malware. The malware can steal user's contact, and user's SMS. The application takes the identity of government (FBI) to ask a ransom.
The application is a fake video reader. The interface is simple. The application can't read a video.
When the application is blocked, the application shows a message which said the user is "guilty to have pornographic file, it is forbidden by the US law, you must pay".
The application needs a server to execute the malicious code. However today the server is down so a fake server has been created to steal contacts.
Stage 1 : Configuration of the fake server
You must configure the phone, activate the tethering (Settings > More > Tethering & portable hotspot > USB tethering )
To configure the server, you need to do:
$ ifconfig (The interface usb0 has the IP1) # echo 1 > /proc/sys/net/ipv4/ip_forward adb shell netcfg route add default gw IP1 dev rndis0 exit ip 148.251.154.104/24 add IPserveur dev eth0 python server.py 12449
Stage 2 : Communication between the client and the server
The client sends many requests to the server :
(POST 148.251.154.104:12449/pha) to send informations of the phone
(GET 148.251.154.104:12449/gac) to ask order. The client receives an identifiant of an order.
(GET 148.251.154.104:12449/eaction) is to confirme the order only. The client confirms the requete has been done with the answer status (code 200)
Other resources
Triggering
Caracteristics
Malware type :
- Ransomware
Attacks :
-
Confidentiality
-
Integrity
-
Availability
-
Normal use
Infection technique : Standalone application
Malicious code type :
- Use Java code
- Use native code
Hidding techniques :
- Not hidden
Triggering techniques :
- Executed at launch
- Waits for a particular intent
Samples
Java source code extracts:
crypto.java The function which encrypt the file.contact.java The function which send the user's contacts.
commande.java This an exemple of order.