Application presented as Flash Player for Androids uses instant messaging protocol (Also known as XMPP) in order to communicate with C&C servers.
Recent researches by Check Point Software Technologies revealed that this malware is different from all other mobile ransomware due to this singular method of communication with servers. It uses Extensible Messaging and Presence Protocol in order to communicate with C&C servers.
Here’s what researchers discovered:
Our Ransomware sample takes a different approach for its communications. It uses a common instant messaging protocol called XMPP (Extensible Messaging and Presence Protocol) to send information from the infected device and to receive commands such as encrypt user files with a given key encryption, send an SMS, call a phone number, etc.
Using XMPP makes it much more difficult for security devices to trace the malware C&C traffic as well as distinguish it from other legitimate XMPP traffic. It is also makes it impossible to block traffic by monitoring for suspicious URLs. Furthermore, as this technique uses external library functions to handle the communication, the malware does not require any additional application to be installed on the device. As XMPP supports TLS, the communication between the client and the server is also natively encrypted.
It’s not very difficult to find yourself in this situation – when you download and install (agree with all terms and conditions, give all required permissions, etc.) this fake Flash Player, major part of your data stored on mobile device will be encrypted immediately.
How to know if your device is infected? Well, first of all, you will see a picture like this (see the picture below):
Moreover, you will receive SMS with alert that states if you fail to pay the ransom in next 48 hours, it will be tripled. That’s a classic threat to frighten users and provoke them to make the payment.
Even though most of devices infected with this ransomware are located in USA, some of them are also in Europe and Asia. As for now almost 10 percent of the victims already paid the ransomware. Lowest ransom is $200 and it can go up to $500.
If your device is infected with this ransomware, we do not recommend to pay the ransom. Even if you pay it, there are no guarantees that your files will be decrypted.