Method of infection
This malware is tricking the phone users into thinking they are downloading some useful software with names like flash player update, video player, browser update, system update or even some porn app. Newer variants come bundled inside other legitimate applications.
The users are either tricked into downloading the application from a website or receive the application as an email attachment.
After installation it will display a fake FBI notice informing the user that he has broken the law by visiting some illegal pornographic site, that he has been located by the “FBI Cyber Crime Unit” based on the phone location services, that the phone has been locked and you are obligated to pay a fine of 500$ .
The notice covers the entire mobile screen; the back and home buttons are disabled as well.
The screenshot shows only part of the text, scrolling down, the entire text reads:
“As a result of full scanning of your device, some suspicious files have been found and your attendance of the forbidden pornographic sites has been fixed. For this reason your device has been locked. Information on your location and snapshots containing your face have been uploaded on the FBI Cyber Crime Department’s data center. First of all, familiarize with the positions stated in the section “The Legal Basis of Violations”. According to these positions your actions bear criminal character, and you are a criminal subject. The penalty as a base measure of punishment on you which you are obliged to pay in a current of three calendar days is opposed. The size of the penalty is $500
Attention! Disconnection of disposal of the device or your attempts to unlock the device independently will be apprehended as unapproved actions interfering the execution of the law of the United States of America (read section 1509 – obstruction of court orders and section 1510 – obstruction of criminal investigations). In this case and in case of penalty non-payment in a current of tree calendar days from the date of this notification, the total amount of penalty will be tripled and the respective fines will be charged to the outstanding penalty. In case of dissent with the indicted prosecution, you have the right to challenge it in court. To make a penalty payment, go to section “Payment Penalties”.
To make the message more credible, another section displays some personal information like the user’s Phone number, IMEI code, IP address and some Browser History containing pornographic content as “evidence”.
To scare even further, the ransomware threatens that it took snapshots of the user’s face using the frontal camera of the phone and sent them to the “FBI Cyber Crime Unit”.
Some variants actually do take one snapshot using the frontal camera and include them in the section below.
On the payment section we find that the “Fine” must be paid through Moneypak, a convenient payment method for ransomware since these kind of transactions cannot be reversed like normal bank transactions.
Disassembling the software we find that it is capable to receive remote commands, such as unlocking the phone or wiping the entire data, but some users reported that paying the fine either didn’t unlock the phone or it unlocked temporarily and recurred at a later time.
Once the ransomware takes control of the phone, it will disable normal control so you will not be able to download an anti-virus program, or do anything else for that matter.
The only method to regain control over your phone is to restart your phone in Safe Mode.
Here is the way to start your phone in safe mode for Galaxy S3, S4, HTC and Motorola, you may have to google around a bit for other models:
S4 – 1. Power down. 2. Turn on and repeatedly tap the soft-button for “Menu.”
S3 – 1. Power down. 2. Turn on, then press and hold Volume Down (Galaxy S3 and others), Volume Up (HTC One and others), or Volume Down and Volume Up together (various Motorola devices) when the vendor’s logo appears.
Once you have successfully entered safe mode, you can download any important files from your phone and then do a factory reset, either yourself or send the phone in service to have an expert do it.
Preventing future infections
The best way to make sure you don’t get infected with this ransomware is to only install software from the official Google Play store. By default Android phones have the installation from other sources disabled, so if you try to install an application that is not from Google Play, the system will display the following warning, and in order to continue installing software you must manually enable installation from other sources:
We recommend that you press Cancel each time you see this window, and only install software from Google Play.
Other ways to tell if the application has mal intent
A way to tell whether an application has bad intentions or not is seeing unusual permissions requested at installation:
For example, this Video Player app is requesting to read contacts and run at startup.
Another warning sign is an app requesting Device Administrator access. You should never allow this kind of access to applications as this can result in erasing all data or your passwords being changed.
As we are dealing more and more with malware capable of deleting all files from mobile devices, you should make sure that you don’t keep essential information *just* on your smartphone or tablet.
You can sync contacts with your Google or iCloud account and photos, videos or other files with popular cloud storage providers such as Dropbox, Google Drive or OneDrive.