New Simplocker ransomware uses XMPP to bypass Android security apps

New Simplocker variant uses XMPP to communicate securely
New Simplocker variant uses XMPP to communicate securely

Check Point has discovered a variant of the Simplocker ransomware program that uses a novel communications technique to bypass security.

Researchers also garnered enough communications data to determine the success rate of the ransomware – estimated to be around 10 percent, said Ofer Caspi from Check Point's malware research team, writing on the threat research blog.

Simplocker and its variants such as Koler disguise themselves as video/flash player apps for Android. Having tricked a user into downloading and installing the app, the next thing that the user sees is a message that his data is being held hostage.

Check Point has designated this variant as Ransomware.Android.Simplocker.

Most ransomware programs use HTTP/S to communicate with command and control (C&C) servers prior to encrypting the victim's files. This ensures that the encryption keys don't have to be hard coded into the app (where they could be extracted and used to decode the victim's data) and every instance of the malware receives a unique set of keys to work with.

However, this introduces a new weakness in the malware which is the ransomware's dependence on communicating with the C&C server. Block this and you prevent the process from even beginning.

To get around this, the creators of this new variant of the ransomware have opted to use the Extensible Messaging and Presence Protocol (XMPP). According to Caspi, XMPP makes it more difficult to trace the C&C traffic as well as distinguish it from other legitimate XMPP traffic and you can't block traffic by monitoring for suspicious URLs.

Other advantages of XMPP for the malware operator is the use of external libraries for communications, so the ransomware can travel lighter, and XMPP supports TLS so all communications are encrypted.

Check Point obtained hundreds of thousands of XMPP messages sent between C&C servers and infected mobile devices which enabled them to break the encryption and read the messages.

From this they determined that tens of thousands of devices were infected and an estimated 10 percent of users paid the ransoms of between $200 and $500. The majority of the victims they investigated were in the US.

Caspi said they discovered dozens of XMPP C&C accounts related to this infection and they have notified the relevant XMPP server operators to get those accounts suspended. This will prevent new instances of the ransomware from encrypting files but will also presumably prevent any victims from paying the ransom and recovering their files.

However, terminating those XMPP accounts appears to have had little effect on the volume of infections, they note.

Check Point analysed the C&C system of the ransomware program in depth using CuckooDroid, an automated Android malware analysis framework developed in-house.