Sonorousness: the latest ransomware of the S-Locker family
Recently, NewSky Security received a threat sample from the security community that is a derivative of the S-Locker ransomware malware group, or family. This new derivative is known as Sonorousness, named for a class within the malware called “com.sonorousness“. When compared to S-Locker, this new malware contains some enhanced code protection techniques that resulted in a more difficult code analysis. We provide our analysis in this post.
The APK Overview
The Sonorousness ransomware is combined with an app that promises to deliver porn media. When installed, it performs the following behaviors.
- Protects itself by requesting admin privileges
- Sets its pop-up window to always be the top window to block or prevent the affected user from accessing the device settings and to revoke the admin setting
- Registers as a new background service and launches itself on system startup
- Displays alarm messages requesting money due to “illegal sexual video” activity:
- Makes connections with a command & control (C&C) server that is under control of an attacker, every 30 seconds
- Accepts remote command instructions from the C&C server such as take pictures, send pictures, download, and install arbitrary (.APK) files
- Gathers and sends information from the device such as device contacts, phone number, and location
The ransomware implemented strong code-obfuscation techniques, and also encrypted its malicious DEX file.
The ransomware .APK contains a DEX file and 2 resource files in HTML extension. One of the HTML files “info.html” is actually an encrypted DEX file and contains almost all of the ransomware code.
This approach to obfuscating and hiding in plain sight appears to have worked, at least in the short term, as evident by a recent multi-scanner scan report of the ransomware from VirusTotal.com:
The purpose of the primary DEX code of the ransomware is to decrypt the encoded component “info.html“, which is also DEX. In an attempt to hinder reverse engineering, Androguard was used to obfuscate the class, method, and variable names. The API calls were encapsulated with the getClass(), getMethod(), and invoke()This encrypted component was obfuscated using Androguard, resulting in making the API and class names appear in highly flexible string formats.
Using debugging tools, we recover the method names and spot the suspicious name “test.apk” which is actually the decrypted ransomware file name.
At this point, the ransomware code is recovered and begins to execute.
Functions of the Ransomware
The ransomware uses social engineering (by displaying fake FBI alerts) in order to trick affected device users into paying the ransom. Interestingly, the only payment form requested and accepted is from an iTunes gift card. Sonorousness uses an annoying tactic of displaying the warning messages often using AlarmManager, with the alert window as the top most window.
Sonorousness attempts to connect with a command and control (C&C) server to receive commands from an attacker.
Remote commands could include opening a specified URL, sending personal information, take photos, and install specified Android apps.
In Conclusion – Approaches to Detection
Despite its code protection mechanism and social engineering tricks, it is not impossible to detect threats such as Sonorousness via reverse engineering or a sandbox. Here are some of our ideas:
Executable file forged as a resource file. It’s not normal that HTML files are in binary format. This can be detected by static analysis.
Executed a dynamic generated file. In the case of Sonorousness, the component “test.apk”, which is the ransomware body, is not within the primary code. It is generated at runtime and executed. The “write and execute” combination is definitely suspicious and this can be detected by dynamic execution.
Aggressively apply for device administrator. Without the device admin elevated privilege, this ransomware could be defeated by a simple “adb uninstall” command. Sonorousness displays the request window for device admin every 5 secs – classic behavior for malware. This can be detected via either static or dynamic approaches.
Pop up always-on-top screens to block the normal usage of the phone. This is yet another classic behavior for ransomware and other malware, and can be detected via either static or dynamic approaches.
Adult Video APK SHA256
Hash values for similar samples