Sonorousness ransomware unmasked

April 13, 2016
Scott Wu

Sonorousness: the latest ransomware of the S-Locker family

Recently, NewSky Security received a threat sample from the security community that is a derivative of the S-Locker ransomware malware group, or family. This new derivative is known as Sonorousness, named for a class within the malware called “com.sonorousness“. When compared to S-Locker, this new malware contains some enhanced code protection techniques that resulted in a more difficult code analysis. We provide our analysis in this post.

The APK Overview

The Sonorousness ransomware is combined with an app that promises to deliver porn media. When installed, it performs the following behaviors.

  • Protects itself by requesting admin privileges
  • Sets its pop-up window to always be the top window to block or prevent the affected user from accessing the device settings and to revoke the admin setting
  • Registers as a new background service and launches itself on system startup
  • Displays alarm messages requesting money due to “illegal sexual video” activity:
  • Makes connections with a command & control (C&C) server that is under control of an attacker, every 30 seconds
  • Accepts remote command instructions from the C&C server such as take pictures, send pictures, download, and install arbitrary (.APK) files
  • Gathers and sends information from the device such as device contacts, phone number, and location

The ransomware implemented strong code-obfuscation techniques, and also encrypted its malicious DEX file.

Protection Methods

The ransomware .APK contains a DEX file and 2 resource files in HTML extension. One of the HTML files “info.html” is actually an encrypted DEX file and contains almost all of the ransomware code.

This approach to obfuscating and hiding in plain sight appears to have worked, at least in the short term, as evident by a recent multi-scanner scan report of the ransomware from VirusTotal.com:

The purpose of the primary DEX code of the ransomware is to decrypt the encoded component “info.html“, which is also DEX. In an attempt to hinder reverse engineering, Androguard was used to obfuscate the class, method, and variable names. The API calls were encapsulated with the getClass(), getMethod(), and invoke()This encrypted component was obfuscated using Androguard, resulting in making the API and class names appear in highly flexible string formats.

Using debugging tools, we recover the method names and spot the suspicious name “test.apk” which is actually the decrypted ransomware file name.

At this point, the ransomware code is recovered and begins to execute.

Functions of the Ransomware

The ransomware uses social engineering (by displaying fake FBI alerts) in order to trick affected device users into paying the ransom. Interestingly, the only payment form requested and accepted is from an iTunes gift card. Sonorousness uses an annoying tactic of displaying the warning messages often using AlarmManager, with the alert window as the top most window.

Sonorousness attempts to connect with a command and control (C&C) server to receive commands from an attacker.

Remote commands could include opening a specified URL, sending personal information, take photos, and install specified Android apps.

In Conclusion – Approaches to Detection

Despite its code protection mechanism and social engineering tricks, it is not impossible to detect threats such as Sonorousness via reverse engineering or a sandbox. Here are some of our ideas:

Executable file forged as a resource file. It’s not normal that HTML files are in binary format. This can be detected by static analysis.

Executed a dynamic generated file. In the case of Sonorousness, the component “test.apk”, which is the ransomware body, is not within the primary code. It is generated at runtime and executed. The “write and execute” combination is definitely suspicious and this can be detected by dynamic execution.

Aggressively apply for device administrator. Without the device admin elevated privilege, this ransomware could be defeated by a simple “adb uninstall” command. Sonorousness displays the request window for device admin every 5 secs – classic behavior for malware. This can be detected via either static or dynamic approaches.

Pop up always-on-top screens to block the normal usage of the phone. This is yet another classic behavior for ransomware and other malware, and can be detected via either static or dynamic approaches.

Sample information

Adult Video APK SHA256
f6d23ae6c22ca7b4f2cf5ba34fa52dc0b864dda61b5ac7ef76a2cc2e02859c22

TEST.APK SHA256
bb34b454e18c41f19067b37dda98cd68c250986edaa7e0bbd3df27c83fe1ab9d

Hash values for similar samples
ecee53c5f88066df9dbe6f65a18b75976dada52f962af1d67da426bd44f8fbc8
39c8555bcdb5ee1b10774f29508c41fa1c6589e1e932c2b2a46463839299705c
26f36f716ab479124831d3f3c5ecadf776bd4c2384d63bd6e509b8eda7c60f1f
0c4551c84aa80b5ce3d6dea87d1a5b52b268f771cf20e626e9d46e095c910878

  • Android
  • Malware