Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone

Now it time for Android devices, Android Ransomware(King online) Locks Phone and Asks Ransom to unlock Phone.

The fascinating turn on this ransomware variation is that it influences the Google Cloud Messaging (GCM) Platform, a push warning administration for sending messages to enrolled customers, as a component of its C2 infrastructre. It additionally utilizes AES encryption in the correspondence between the contaminated device and the C2 server.

There are a few things that emerge about this risk. The first is the humongous payment ask it approaches victims for, which is 545,000 Russian rubles

Malware Infection

After the client dispatches the infected application, it demands application admin rights.

Once user installs the malicious application, it demands application admin rights.

How this malware works

As per Lu, law breakers can send 20 type of commands to contaminated hosts, orders which can lock or open the device’s screen, add new contacts to the telephone, take all contacts, send SMS messages, and redesign the malware’s code.

Here we can see a detailed analysis on how this malware works

Jfldnam Class

Next the Jfldnam Class used in GCM registration.The key code bit is demonstrated as follows.

Note : Google Cloud Messaging (GCM) is a free service that enables developers to send messages between servers and client apps.

The GCM Broadcast Receiver announcement in AndroidManifest record, there are three services revelations in the AndroidManifest document.

class kbin.zqn.smv.Ewhtolr is the GCM Service Class, with subclass Hkpvqnb, the following code is used to handle the action of intent related to GCM.

If the action is equal to “com.google.android.c2dm.intent.REGISTRATION”, it means that GCM registration has been successful. The malware handles the response from GCM server.

The registration_id is stored in com.google.android.gcm.xml, if the GCM registration is successful, the malware sends RegId to the C2 server.

From the above figures we can see that the malware uses AES to encrypt the json data that stores the reg_id, and it then sends the encrypted data to its C2 server.

Locker class

This is used to gain device administrator rights.

Omnpivk class

This is utilized to show a locker screen that requests that the client present their Mastercard data to open the device. A code scrap of Omnpivk class is demonstrated as follows.

The locker screen is loaded from the asset folder. It looks like this.

Once the gadget is blocked by this malware, the locker screen is overlaid on top of the framework window. Clients are kept from doing anything on the gadget until their bankcard information is given.

Likewise you can read : No more ransom adds immense power to globe against Ransomware Battle

Once the client enters their card details, the malware sends it to the C2 server. The caught movement is demonstrated as follows.

This ransomware is now focusing on just Russian clients. Much the same as most Android malware today, this risk is covered up inside an application that solicitations clients to give it head rights.

The application is probably downloaded and introduced from outsider application stores. Since the ransomware gets administrator rights, clients need to reboot their gadgets in experimental mode and expel the application from that point.

General Methods to prevent Ransomware

1.Backup data.
2.Disable files running from AppData/LocalAppData folders.
3.Filter EXEs in the email.
4.Patch or Update your software.
5.Use the Cryptolocker Prevention Kit.
6.Use a reputable security suite.
7.CIA cycle(Confidentiality, integrity, and availability)
8.Utilize System Restore to recover the computer.
9.Disconnect Internet connection immediately.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

5 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

5 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

8 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

11 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

12 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

12 hours ago