New Android Ransomware Communicates over XMPP

A new strain of Android ransomware disguised as a video player app uses an instant messaging protocol called XMPP to receive commands and communicate with the command and control server.

A new strain of Android ransomware disguised as a video player app uses a means of communication unseen in other similar malware.

Most of the victims are in the United States and the mobile crypto-ransomware scam seems to be profitable according to researchers at Check Point Software Technologies, who said that tens of thousands of devices could be infected and to date about 10 percent of the victims have paid up ransoms between $200 and $500. Check Point concedes its dataset is incomplete and it’s likely that more devices are infected and the hackers have pocketed more than the $200,000 to $500,000 estimates.

Like most mobile ransomware, these infections begin with the victim downloading a phony application from a third-party app store, in this case a supposed Flash Player app. Once the victim approves installation and the requested permissions, the ransomware encrypts all the data on the phone in exchange for a ransom.

Victims, with this strain, see a message purporting to be from the National Security Agency with threatening language about copyright violations and threats of fines being tripled if not paid within 48 hours of notification. The NSA message has been used with other mobile ransomware such as Koler and Simplocker.

What sets this strain apart from others, Check Point said, is that the ransomware uses an instant messaging protocol called XMPP, or Extensible Messaging and Presence Protocol, to receive commands and communicate with the command and control server.

“Using XMPP makes it much more difficult for security devices to trace the malware C&C traffic as well as distinguish it from other legitimate XMPP traffic,” Check Point said in a report published Wednesday. “It is also makes it impossible to block traffic by monitoring for suspicious URLs.”

Unlike most ransomware that communicates over HTTP, using XMPP has been effective in helping the malware evade detection. With HTTP communication, traffic using the URL address or static IP address of the C&C server can be blocked, denying the attackers the ability to send encryption commands and process files, Check Point said.

“As this technique uses external library functions to handle the communication, the malware does not require any additional application to be installed on the device,” Check Point said. “As XMPP supports TLS, the communication between the client and the server is also natively encrypted.”

Check Point said the attackers crafted ransom messages based on the device’s geographic location, making it convincing to the victim.

“It appears the malware writers designed the sample so both the device’s location configurationĀ and the mobile operator name are examined upon successful infection,” Check Point said. “As a result, the ransom message displayed actually matches the area where the device is located, making this a very sneaky malware.”

Check Point said there are dozens of XMPP command and control accounts tied to these attacks, that have since been suspended by the respective operators.

“The files on any machines newly infected with these samples should be safe, as the malware won’t be able to effectively encrypt the files without the C&C commands,” Check Point said. “Unfortunately, new samples from this campaign are still appearing almost every day.”

In its report, Check Point has published indicators of compromise, command descriptions and details on the encryption used.

Suggested articles