Android ransomware purports to be a free social media follower application


Sonicwall Capture Labs Threat Research team has observed many Android locker ransomware which asks to communicate using social media platforms. There is no assurance of getting the key even after paying the ransom amount, they just use these apps for monetary gain. Some of the applications look like free social media follower apps but are ransomware as shown below.


Figure 1: Ransomware App Icons


All these malicious apps are recently submitted over malware sharing platforms like Virus Total.


Figure 2: VirusTotal submission history


Infection Cycle:

Major permissions used in these apps are mentioned below:


Permission “SYSTEM_ALERT_WINDOW“  is used to display overlay windows above all activity windows in order to show ransom notes.

After installation app is not visible on the app drawer, to view installed app information we need to go into settings->Apps


Figure 3: Malicious app visible under settings


In the manifest file, “android.intent.category.LAUNCHER” is not set in MainActivity as shown below, which means that this application does not have a desktop startup icon.


Figure 4: Main activity launcher missing


Malicious application launches after “ACTION_BOOT_COMPLETED” system event which is fired once the Android system has completed the boot process, sets a lock screen with a ransom note and the user is not able to access the device.


Figure 5: Ransom note


On further investigation of malicious code, each malicious file has a different ransom note and different keys which are present in code itself under “password” field. No actual encryption of any file present on the device takes place except by locking the screen.


Figure 6: Password and Ransom note present in code


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):







Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.