The researcher, who uses the pseudonym fs0c1ety, said he had obtained the source code by reversing a sample of the ransomware. "It’s not the original source code," he wrote, adding that the code, which was released on GitHub. was to be used only for the purpose of research.
SLocker was first spotted in 2015 and was the first Android ransomware.
According to an analysis by Trend Micro earlier this month, the SLocker family "is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom".
|
|
SLocker runs in the background after it infects a mobile device, encrypting selected files. It can also make the device inaccessible.
According to Trend Micro, it disguises itself as game guides, video players, and similar apps to lure users into installing it.
"When installed for the first time, its icon looks like a normal game guide or cheating tool. Once the ransomware runs, the app will change the icon and name, along with the wallpaper of the infected device," the analysis said.
It added: "We see that the ransomware avoids encrypting system files, focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos). When a file that meets all the requirements is found, the thread will use ExecutorService (a way for Java to run asynchronous tasks) to run a new task.
"The new task will use a method named 'getsss' to generate a cipher based on the previously generated random number. This method computes the MD5 of the random number and selects 16 characters as a string from the hexadecimal representation of the MD5.
"After the string is generated, the ransomware will feed it to SecretKeySpec to construct the final key for AES before using AES to encrypt files."
