Two suspects arrested in connection with WannaCry Android lookalikes

Took less than a week for police to find them…

David bisson
David Bisson
@
@DMBisson

Two suspects arrested in connection with WannaCry Android lookalikes

Chinese authorities have arrested two individuals who are believed to have helped develop and distribute Android ransomware mimicking the WannaCry ransom-worm.

On 12 May 2017, WannaCry garnered worldwide attention when it hit the United Kingdom’s National Health Service (NHS), the telecommunications giant Telefonica, and hundreds of thousands of other organizations spread across 150 countries. It’s therefore no surprise that Android developers sought to capitalize on users’ fear of this campaign.

Some exploited the WannaCry hype to create wallpaper apps and adware. Others took it a step further. By copying the ransom-worm’s well-known GUI and incorporating it into their attackers, mobile ransomware developers thought victims would be more inclined to pay.

Sign up to our free newsletter.
Security news, advice, and tips.
Telefonica infection
WannaCry decrypter on a computer screen (Source: El Mundo)

A program named WannaLocker was the first such copycat threat to emerge. This is in actuality a variant of SLocker, another mobile ransomware whose other variants also spiked in the weeks following WannaCry. WannaLocker spread under the guise of a cheating tool for a game called King of Glory.

Trend Micro’s mobile threat response team has more information:

“This ransomware disguises itself as game guides, video players, and so on in order to lure users into installing it. When installed for the first time, its icon looks like a normal game guide or cheating tool. Once the ransomware runs, the app will change the icon and name, along with the wallpaper of the infected device.”

The ransomware then checks for non-system files, primarily downloaded documents and images that range in size between 10 KB and 50 MB. After encrypting all files that match this description, SLocker displays its ransom note. This message includes instructions for victims to pay a ransom of as little as 20 Chinese Renminbi (less than US $2) using QQ, a popular Chinese payment service.

Slocker2
The first mobile ransomware seen mimicking WannaCry. (Source: Trend Micro)

The low ransom value aside, linking to a QQ number wasn’t the ransomware developers’ smartest decision. It provides police with a trail of evidence leading to their doorstep.

Sure enough, just five days after security firms detected the first of several WannaCry-themed SLocker variants, Chinese authorities arrested two individuals on suspicion of participating in the campaign. Chen from Wuhu, a 20-year-old man from Anhui province, is believed to have created the ransomware. As reported by Bleeping Computer, a 13-year-old boy named Jinmou from Henan province is believed to have helped distribute it.

Computer criminals will always seek to capitalize on attack campaigns like WannaCry’s for their own profit. With that said, Android users should protect themselves by downloading apps only from trusted developers on Google’s Play Store, by backing up their data on a regular basis, and by carefully screening an app’s requested permissions before they approve a program’s installation.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Two suspects arrested in connection with WannaCry Android lookalikes”

  1. David L

    Sophos is a great security solution for Android. Feature rich, free, and No Ads! Also offer a home solution free. Easy on resources, and intuitive UI.
    https://play.google.com/store/apps/details?id=com.sophos.smsec
    Read the full description in Playstore, and there is a help section in the app, which is very helpful.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.