Saturday, October 12, 2024
HomeMobile AttacksAndroid Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

Published on

Malware protection

Now it time for Android devices, Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone.

The fascinating turn on this ransomware variation is that it influences the Google Cloud Messaging (GCM) Platform, a push warning administration for sending messages to enrolled customers, as a component of its C2 infrastructre. It additionally utilizes AES encryption in the correspondence between the contaminated device and the C2 server.

There are a few things that emerge about this risk. The first is the humongous payment ask it approaches victims for, which is 545,000 Russian rubles

- Advertisement - SIEM as a Service

Malware Infection

After the client dispatches the infected application, it demands application admin rights.

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

Once user installs the malicious application, it demands application admin rights.

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

How this malware works

As per Lu, law breakers can send 20 type of commands to contaminated hosts, orders which can lock or open the device’s screen, add new contacts to the telephone, take all contacts, send SMS messages, and redesign the malware’s code.

Here we can see a detailed analysis on how this malware works

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

 Jfldnam Class

Next the Jfldnam Class used in GCM registration.The key code bit is demonstrated as follows.

Note : Google Cloud Messaging (GCM) is a free service that enables developers to send messages between servers and client apps.

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

The GCM Broadcast Receiver announcement in AndroidManifest record, there are three services revelations in the AndroidManifest document.

class kbin.zqn.smv.Ewhtolr is the GCM Service Class, with subclass Hkpvqnb, the following code is used to handle the action of intent related to GCM.

If the action is equal to “com.google.android.c2dm.intent.REGISTRATION”, it means that GCM registration has been successful. The malware handles the response from GCM server.

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

The registration_id is stored in com.google.android.gcm.xml, if the GCM registration is successful, the malware sends RegId to the C2 server.

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone
Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

From the above figures we can see that the malware uses AES to encrypt the json data that stores the reg_id, and it then sends the encrypted data to its C2 server.

 Locker class

This is used to gain device administrator rights.

 Omnpivk class

This is utilized to show a locker screen that requests that the client present their Mastercard data to open the device. A code scrap of Omnpivk class is demonstrated as follows.

The locker screen is loaded from the asset folder. It looks like this.

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

Once the gadget is blocked by this malware, the locker screen is overlaid on top of the framework window. Clients are kept from doing anything on the gadget until their bankcard information is given.

Likewise you can read : No more ransom adds immense power to globe against Ransomware Battle

Once the client enters their card details, the malware sends it to the C2 server. The caught movement is demonstrated as follows.

Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

This ransomware is now focusing on just Russian clients. Much the same as most Android malware today, this risk is covered up inside an application that solicitations clients to give it head rights.

The application is probably downloaded and introduced from outsider application stores. Since the ransomware gets administrator rights, clients need to reboot their gadgets in experimental mode and expel the application from that point.

General Methods to prevent Ransomware

1.Backup data.
2.Disable files running from AppData/LocalAppData folders.
3.Filter EXEs in the email.
4.Patch or Update your software.
5.Use the Cryptolocker Prevention Kit.
6.Use a reputable security suite.
7.CIA cycle(Confidentiality, integrity, and availability)
8.Utilize System Restore to recover the computer.
9.Disconnect Internet connection immediately.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

RansomHub Ransomware Using Multiple Techniques To Disable EDR And Antivirus

The RansomHub ransomware group tracked as Water Bakunawa, employs targeted spear-phishing to exploit the...