User avatar
Jared
Forum Admin
Posts: 3701
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

Android Ransomware that Encrypts JPGs and Video

Thu Feb 28, 2019 1:23 pm

So I've got a rather odd case here that showed up. I've never seen anything quite like it. It's a microSD card from an Android device. Suddenly the pictures all seemed corrupted to the user. The card and filesystem all seem normal, but the opening signature of all the jpgs and video files on the card look like this:

Android Ransomware.jpg


As you can see there is some variance in the opening signature, likely a checksum or key of sorts. But some elements such as the second line of 03 00 00 02 00 00 10 00 00 02 8C 2D 04 09 03 01 as well as the visible code "CONSOLE" are consistent. This is then followed by a few sectors of all zeros before random looking data begins (as you'd expect in a jpg or video).

Has anyone ever come across such an Android ransomware or have any idea which one this might actually be? There doesn't seem to be any ransom notes left behind anywhere.

User avatar
Joep
Data Recovery Noob
Posts: 20
Joined: Wed Jul 12, 2017 3:11 pm

Android Ransomware that Encrypts JPGs and Video

Mon Aug 12, 2019 9:10 am

I see these all the time. I think it is Android file based encryption. Entropy in such files also suggests encryption.

No one was able to point me anywhere, I asked several places, here's one: https://www.reddit.com/r/Smartphonefore ... ncryption/

and here: https://www.reddit.com/r/datarecovery/c ... ncryption/

In an Android developer forum suggested it was Android file based encryption. Without any further info to go on.

And it is my impression it was mostly Samsungs but that may simply be because it is a popular brand.

User avatar
Joep
Data Recovery Noob
Posts: 20
Joined: Wed Jul 12, 2017 3:11 pm

Android Ransomware that Encrypts JPGs and Video

Wed Aug 14, 2019 12:05 pm

I only noticed now your post was from months ago. Curious: Did you ever find more info on this?

User avatar
Jared
Forum Admin
Posts: 3701
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

Android Ransomware that Encrypts JPGs and Video

Thu Aug 15, 2019 8:54 am

No, I explained to the customer that it would end up being an expensive custom job to even attempt recovery and he decided it wasn't worth pursuing it further.

So, I never figuring it out.

User avatar
Joep
Data Recovery Noob
Posts: 20
Joined: Wed Jul 12, 2017 3:11 pm

Android Ransomware that Encrypts JPGs and Video

Thu Aug 15, 2019 10:41 am

I see, thanks for the answer though.

Kilo_SSK
Data Recovery Noob
Posts: 6
Joined: Sun Dec 29, 2019 3:43 am

Android Ransomware that Encrypts JPGs and Video

Fri Jan 24, 2020 10:40 am

Have some tools been developed since then to remove that type of encryption, or is it still a serious threat to Android users?

User avatar
Joep
Data Recovery Noob
Posts: 20
Joined: Wed Jul 12, 2017 3:11 pm

Android Ransomware that Encrypts JPGs and Video

Tue Apr 07, 2020 3:06 pm

Check: https://www.ietf.org/rfc/rfc2440.txt section 5.9, see the mention of the _CONSOLE string. I dropped this is a forensics reddit sub months ago, and today received an answer ..

5.9. Literal Data Packet (Tag 11)

A Literal Data packet contains the body of a message; data that is
not to be further interpreted.

The body of this packet consists of:

- A one-octet field that describes how the data is formatted.

If it is a 'b' (0x62), then the literal packet contains binary data.
If it is a 't' (0x74), then it contains text data, and thus may need
line ends converted to local form, or other text-mode changes. RFC
1991 also defined a value of 'l' as a 'local' mode for machine-local
conversions. This use is now deprecated.

- File name as a string (one-octet length, followed by file name),
if the encrypted data should be saved as a file.

If the special name "_CONSOLE" is used, the message is considered to
be "for your eyes only". This advises that the message data is
unusually sensitive, and the receiving program should process it more
carefully, perhaps avoiding storing the received data to disk, for
example.

- A four-octet number that indicates the modification date of the
file, or the creation time of the packet, or a zero that
indicates the present time.

- The remainder of the packet is literal data.

Text data is stored with <CR><LF> text endings (i.e. network-normal
line endings). These should be converted to native line endings by
the receiving software.

User avatar
Joep
Data Recovery Noob
Posts: 20
Joined: Wed Jul 12, 2017 3:11 pm

Android Ransomware that Encrypts JPGs and Video

Tue Apr 07, 2020 3:07 pm

Here's the thread: https://www.reddit.com/r/datarecovery/c ... ncryption/

Oh, see it's actually in the r/datarecovery sub ..

Return to “Cyber Security & Malware”

Who is online

Users browsing this forum: No registered users and 1 guest