Having little to no coding experience is no longer a problem for wannabe mobile malware authors, thanks to Trojan Development Kits (TDKs). Criminals can now install an app that will allow them to quickly and easily create Android ransomware with their own devices. It should be noted that the use of TDKs is different from malware being created using the Android integrated development environment (AIDE), which I previously blogged about.
I first noted the emergence of these TDKs earlier this year, with the most recent one spotted just several days ago.
The whole process of creating new variants has been automated by adopting a CASE (Computer-Aided Software Engineering) tool model or, to be more precise, a DAME (Device-Aided Malware Engineering) tool model.
On-device malware generation kit
Wannabe malware authors can start using TDKs by firstly downloading the free app. The apps are available from hacking forums and through advertisements on a social networking messaging service popular in China.
The app, which has an easy-to-use interface, is no different from any other Android app apart from the fact that it creates malware.
To generate the malware, all the user needs to do is choose what customization they want by filling out the on-screen form.
Options available for customizing include:
- The message that is to be displayed on the locked screen of the infected device
- The key to be used to unlock the infected device
- The icon to be used by the malware
- Custom mathematical operations to randomize the code
- Type of animation to be displayed on the infected device
Figure 1. The malware generator app
Once all of the information has been filled in, the user hits the “create” button and, if they haven’t already done so, is asked to subscribe to the service. The app allows the user to start an online chat with the app’s developer where they can arrange a one-time payment. Once the user has subscribed, they can continue with the process, making as many ransomware variants as they desire.
After the payment has been made, the malware is created and stored in the external storage in ready-to-ship condition, as illustrated in Figure 2.
Figure 2. The malware is created with the chosen configuration
It is then up to the user how they want to spread their newly created ransomware. Anyone unlucky enough to be tricked into installing the malware will end up with a locked device held to ransom. The malware created using this automation process follows the typical Lockdroid behavior of locking the device’s screen with a SYSTEM_ALERT_WINDOW and displaying a text field for the victim to enter the unlock code.
Figure 3. The ransomware created using the Trojan Development Kit in action
The entire process of creating a ready-to-use piece of malware is done on a smartphone without any requirement to write a single line of code.
The TDK samples I’ve analyzed so far are all aimed at Chinese-speaking users but modifying the interface language would be simple. If it is not already the case, it is likely different language versions will soon be made available.
The emergence of easy to use malware development kits such as these lowers the bar for aspiring cyber criminals wanting to enter the ransomware game. Individuals with little technical knowledge can now create their very own customized Android ransomware. However, these apps are not just useful for aspiring and inexperienced cyber criminals as even hardened malware authors could find these easy-to-use kits an efficient alternative to putting the work in themselves. We expect to see an increase in mobile ransomware variants as these development kits become more widespread.
To protect against this kind of threat on mobile devices, Symantec recommends users observe the following security best practices:
- Keep your software up to date
- Refrain from downloading apps from unfamiliar sites
- Only install apps from trusted sources
- Pay close attention to the permissions requested by an app
- Install a suitable mobile security app, such as Norton, in order to protect your device and data
- Make frequent backups of important data
Symantec and Norton products detect Trojans created using these kits as the following: