July 16, 2014
U.S. Targeted by Coercive Mobile Ransomware Impersonating the FBI
Lookout has discovered a highly concerning piece of malware that targets the U.S. The malware can render your phone inoperable, can cause loss of access to data, and otherwise attempts to extort you with a fairly scary message: you’re being investigated by the FBI, you’re a criminal. We call this family ScarePakage. It masquerades as well-known apps, such as Adobe Flash and a number of anti-virus applications, and pretends to scan your phone upon launch. After completing the fake scan it locks your phone. You can’t navigate away and if you try to reboot, the fake FBI message will be the first thing you see when the phone turns on. ScarePakage demands several hundred dollars in a MoneyPak voucher to release your device. The app performs a validation check to see if the code is long enough, but not if it will actually work. The app doesn’t need root in order to take over the phone, but it does need device administrator. All Lookout users are protected against this threat.
How It Works
The malware does its best to be as intrusive as possible by blocking the victim’s normal device-use with the app. Using a Java TimerTask, which is set to run every 10 milliseconds, the application will kill any other running processes that the user interacts that are not the malware itself or the phone's settings application. The malware also uses an Android WakeLock to prevent the device from going to sleep. The malware makes it difficult to turn the phone off, but should you be able to, a boot receiver class resumes ScarePakage’s takeover of your device immediately, shutting down all other processes that the user interacts with. In some cases, ScarePakage steals your IMEI too and displays it to the user as a scare tactic. The message to the user? We know who you are.
In some instances ScarePakage sends this IMEI back to its C&C to identify the device. ScarePakage’s functionality is very close to another piece of ransomware we call ColdBrother, but has otherwise been referenced as Svpeng. In addition to scaring you with an FBI message and locking your phone, ColdBrother can take a photo using the front-facing camera, can answer and immediately drop phone calls, and has unused code that searches for banking applications on the device.
How to Handle
ScarePakage is likely created by Russian or other Eastern European authors given language cues used in the application that we observed. Unfortunately, this ransomware is hard to remove if you give this malware device administrator privileges.
- Avoid awarding device administrator to applications unless you’re really sure of what they do
- Only download applications from developers you know and trust
- Download an applications such as Lookout, which can detect these threats before you ever open them