Connect with us

Hi, what are you looking for?


Malware & Threats

Android Ransomware Mimics WannaCry

Android file-encrypting ransomware SLocker was recently observed using an interface similar to that of the WannaCry malware that hit Windows systems worldwide last month, TrendMicro security researchers reveal.

Android file-encrypting ransomware SLocker was recently observed using an interface similar to that of the WannaCry malware that hit Windows systems worldwide last month, TrendMicro security researchers reveal.

One of the first Android ransomware families to encrypt files on compromised devices, SLocker had a short lived success before, as the suspect supposedly responsible for it was arrested within five days after the initial detection.

The malware initally infected a small number of users because of limited transmission channels (forums like QQ groups and Bulletin Board Systems), but is back in an attempt to capitalize on the success of the WannaCry outbreak.

According to Trend Micro, the original ransomware sample found earlier this month was named King of Glory Auxiliary and was posing as a cheating tool for the game King of Glory. Once installed, however, the ransomware featured a similar appearance to WannaCry.

To lure users into installing it, the SLocker ransomware also disguises as video players, and other types of programs. After the application is first run, however, it changes the icon and name, along with the wallpaper of the infected device.

It also checks whether it has been run before, and generates a random number and stores it in SharedPreferences if not. Next, the threat locates the device’s external storage directory and starts a new thread that will first go through the directory to find files that meet specific requirements.

“We see that the ransomware avoids encrypting system files, focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos). When a file that meets all the requirements is found, the thread will use ExecutorService (a way for Java to run asynchronous tasks) to run a new task,” the security researchers explain.

Advertisement. Scroll to continue reading.

The malware generates a cipher based on the previously generated random number and feeds the string to construct the final key for AES before using AES to encrypt files. 

SLocker victims are provided three options to pay the ransom, but all three lead to the same QR code requesting victims to pay via popular Chinese mobile payment service QQ. The malware also threatens victims that the ransom amount will increase after three days and that files will be deleted after a week.

The malware analysis also revealed that the decryption key is compared with the value in MainActivity.m, which is the previously generated random number plus 520. Thus, users can decrypt their files for free if they can figure out the method for generating the decrypt key, TrendMicro notes.

“Compared to the ransomware we’ve seen before, this ransomware is relatively simple. It is actually quite easy for a security engineer to reverse the ransomware and find a way to decrypt files. However, the proliferation of new variants so quickly after the first one shows that these malicious actors are not slowing down. Even though a suspect was caught, more advanced ransomware may be just around the corner,” TrendMicro notes.

To stay protected, users should install only apps downloaded from legitimate app stores, and should also check the permissions requested by each app, especially when they allow the software to read/write on external storage. Users should also back up their data regularly and install and maintain a comprehensive antivirus solution.

Related: Android Ransomware Employs Advanced Evasion Techniques

Related: Enterprises Infected By Pre-installed Android Malware

Related: Charger Android Ransomware Infects Apps on Google Play

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.