The SLocker variant was short-lived after Chinese police arrested a suspect.
The SLocker variant was short-lived after Chinese police arrested a suspect.

A variant of SLocker that Trend Micro calls ANDROIDOS_SLOCKER.OPST, and which was spotted last month copying the GUI of WannaCry, stands out as one of the first ransomware types to encrypt Android files and the first to build on the success of WannaCry, according to a blog post penned by the security firm's mobile threat response team.

“While this SLocker variant is notable for being able to encrypt files on mobile, it was quite short-lived,” researchers said, adding that decrypt tools were quickly published after details on the reiteration emerged and additional variants were found.

The transmission of ANDROIDOS_SLOCKER.OPST – which had limited spread through online forums and a very low number of victims – essentially was thwarted with the arrest of a suspect by Chinese police.  

“The original sample captured by Trend Micro was named “王者荣耀辅助” (King of Glory Auxiliary), which was disguised as a cheating tool for the game King of Glory,” Trend Micro said, noting that when installed it looks similar to WannaCry, disguising “itself as game guides, video players, and so on in order to lure users into installing it.”

Once installed, the icon appears to be “a normal game guide or cheating tool,” though once it runs the icon and name change as well as the infected device's wallpaper, the researchers wrote. “The ransomware announces a disabled activity alias for “com.android.tencent.zdevs.bah.MainActivity”. It then changes its icon by disabling the original activity and enabling the alias.”

"The ransomware first checks to see whether it's been run on the device before, “it will generate a random number and store it in SharedPreferences, which is where persistent application data is saved. Then it will locate the device's external storage directory and start a new thread.”

Once the thread plows through the external storage directory on the hunt for files that meet certain requirements - for instance, they must be between 10KB-50KB in size and “must contain ‘.'” – then “the thread will use ExecutorService (a way for Java to run asynchronous tasks) to run a new task,” according to the blog post.

“We see that the ransomware avoids encrypting system files, focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos),” the research team said. “When a file that meets all the requirements is found, the thread will use ExecutorService (a way for Java to run asynchronous tasks) to run a new task.”

Calling the variant “relatively simple,” the researchers said to guard against emerging variants that could be more advanced, users should follow the rules of good cyber hygiene, including only downloading apps from legitimate app stores, backing up data with regularity, and paying attention to the permissions that an app requests.