Trend Micro Incorporated detected a new variant of mobile ransomware SLocker, notable for being an Android file-encrypting ransomware. This particular SLocker variant is the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak and copies it’s GUI.
This ransomware disguises itself as game guides, video players, and so on in order to lure users into installing it. When the ransomware is installed, it will check whether it has been run before. If it is not, it will generate a random number and store it in Shared Preferences, which is where persistent application data is saved. Then it will locate the device’s external storage directory and start a new thread. Once the ransomware runs, the app will change the icon and name, along with the wallpaper of the infected device. The ransomware announces a disabled activity. It then changes its icon by disabling the original activity and enabling the alias.
The original sample captured by Trend Micro was named ‘King of Glory Auxiliary’, which was disguised as a cheating tool for the game King of Glory. When installed, it has a similar appearance to WannaCry, which has already inspired a few imitators. Trend Micro observed that the ransomware avoids encrypting system files, focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos).
Nilesh Jain, Country Manager (India and SAARC), Trend Micro said, “Compared to the ransomware we’ve seen before, this ransomware is relatively simple. It is actually quite easy for a security engineer to reverse the ransomware and find a way to decrypt files. To help users keep the information on their mobile device safe, Trend Micro suggests installing apps downloaded from legitimate app stores such as Google Play and being careful about permissions an app asks for, especially permissions that allow the app to read/write on external storage.”
He further added, “It is also important to back up your data regularly—either on another secure device or on cloud storage. Users must install comprehensive antivirus solutions. Mobile security solutions such as Trend Micro Mobile Security blocks threats from app stores before they can be installed and cause damage to devices, while Trend Micro Maximum Security offers in-depth protection for multiple devices and proactively secures them from the threat of ransomware.”