Overview: Cryptolocker and Ransomware

Within the past 2 years, in addition to the conventional malware, the so-called Ransomware has spread massively. While in 2014 less than 10 known families/variants roamed in this area, we discovered 15 of those blackmailing apps in 2015. Within the first quarter of 2016 this number has already been exceeded (as can be seen in the table below). Last year, we saw a special form of Ransomware appearing, the so-called Cryptolocker. This special form is feared by users and security responsible people within an organization because it blocks not only the smartphone or tablet – as it is the case with Ransomware – but also all data of the user becomes encrypted on an infected device.


Year Ransomware Cryptolocker
2014 10 0
2015 9 6
2016 (Q1) 7 10


In most cases we have seen in recent months, the authors of those malware pinch between 100 and 500 EUR in iTunes gift cards, PaySafe cards or transfers via PayPal MyCash from the infected victims to provide a decryption key. While the media reports about a large amount of people and companies paying to the attackers and getting the keys, we were unable to verify whether after a successful payment the decryption is performed, or the correct keys are supplied.


Current Threat Situation

At first, we had Ransomware found only on dubious or 18+ sites. These malicious apps were offered as stand-alone apps that provide users with the content even without a web browser available – so at least the promise. After installing those apps, you quickly find the known displayed warnings and an operation is no longer possible.

However, we have already seen the first signs that authors of those malicious apps tried to expand their audience end 2015. Nowadays, you can find such apps as drive-by downloads on infected but actually legitimate sites, or even integrated into ad networks that have been successfully infected. By doing this, the attackers can spread their malicious code on hundreds of websites simultaneously.

Some of the current Cryptolocker are even able to nestle on the infected phones due to publicly known exploits (e.g., Towelroot) and easily exploitable vulnerabilities on older versions of Android (Android <5.0), without requiring the user to interact with the malware. This is probably the biggest change in the threat situation since the first notifications of Ransomware.


Examples from everyday life

Below we have picked three common malware families from the area of Ransomware. We will describe very briefly how they work and how an infection takes place.



This malware is one of the classic representatives of the Ransomware. The infection can be carried out via the following two ways:

  1. The user is surfing on a website and gets a pop-up to see which tells him that a benign-looking app is available for download, or
  2. the user receives a spam email telling him that a security update of Adobe Flash Player is available tricking him into installing an updated version of this app.

Having installed this app – and after installing of untrusted sources has been admitted – the user needs to start the app. At this point, it takes a picture with the front camera of the smartphone that will be used later for the blackmailing and the app starts to listen for a reboot of the device in the background (within some versions of this malware we also saw a timer that starts a count down).

Once the timer reaches 0 or the device has been rebooted, the app opens automatically and only displays a predetermined screen. This screen can no longer be bypassed by the user and displays the message to blackmail.


Since this malware performs no encryption in the background, it can also be removed quite easily by an expert:

  1. Reset the smartphone through the recovery menu to factory settings,
  2. boot the smartphone using an alternative firmware like TWRP and delete the app, or
  3. uninstall the app by using adb uninstall (only possible if the developer mode has been enabled previously).



This family of malware was discovered by Palo Alto Networks. It is far more than just a common Ransomware as we have seen with Slocker above.

The first versions disguised themselves primarily as banking apps for known banks in Australia and Russia. In the background of these variants the app sends bank information of the infected users to the authors of the malware and continuously observes received SMS messages for mTAN messages – actually the classical banking Trojan.

But that’s not all: xbot can be activated remotely to lock the device and even encrypt the content of the SD card completely. Thereafter, the user receives only a message asking for the transmission of $ 100 to the malware author to get the encrypted data back.


To this end the app must, however, register the device administrator role, because otherwise it does not have the necessary rights to perform the needed actions. In the versions that we’ve seen, it does so very primitively by simply asking the user for it. If the user doesn’t activate the app as a device administrator, xbot is not able to resist to uninstalling and can’t encrypt the data of the infected device. Newer versions of this malware camouflage themselves now as WhatsApp or other known and popular apps.

As long as the malware has not encrypted data, one can remove it similarly as Slocker above. If the encryption has started or it has even been carried out successfully the only thing that could help is reversing the app to understand which encryption-key the app has used.

Within the first versions of this malware, it has been observed that the “encryption” is a simple XOR with the Integer 50 – this has now changed however and newer versions work with keys that they receive remotely together with the actual encryption command making it nearly impossible to get the correct key afterwards without paying the attacker.



This malware family is probably the best variant which we have seen in the area of Android so far. It is known by the name Cyber Police and is a classical Cryptolocker without any additional features.

Cyber Police

Infected can be almost any phone with an OS older than Android 5.0 without the need of a user to actively interact with the app – no clicking of popups, manually installing apps or activating installations from untrusted sources, even without granting device administrator rights manually.

This malware makes use of browser vulnerabilities that have been known from the Hacking Team  leak coupled with root-exploits like Towelroot. So a simple surfing to a malicious webpage with an “outdated” smartphone can be enough to become infected.

If you have been infected with this malware, the only solution is to reset to factory settings or manual flash with a new firmware from the manufacturer or an alternative variant, such as Cyanogen. This is needed because Cyber Police actively resists against uninstallation or decryption.

The only “positive” fact so far is, that we have seen this specific malware family only on dubious 18+ sites and not within legitimate looking websites.


Closing Remarks

As we have seen in the evolution of this kind of threat the associated malware families are meanwhile far more than just blackmailing apps that lock infected devices. The latest versions can actively resist against analysts or simple uninstall routines and use state-of-the-art public key crypto. Some of those apps even try to find out, if they hit a personal phone or a company-owned one to change the amount of money they pinch from an infected user. But there are some recommendations that can protect a user against at least some of the above described threats:

  1. Do not click on popups telling you to install an app (even if it claims to be an update of a legitimate app),
  2. do not enable installation from untrusted sources within the device settings,
  3. do not authorize device admins other than the official Google device admin or the company MDM,
  4. do not surf to dubious websites that you wouldn’t surf to on your PC, and
  5. backup your device regularly.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.