Tuesday, March 10, 2015

Russian ransomware pretends to be from Ministry internal affairs of Russia

Ransomware can lock your phone accusing you from viewing scenes of pedophilia and other perversions. In order to unlock your phone it demands (500 rubles ~ 7.6 Euro) within 36 hours.

Malware comes with simple icon and name ("DDDDDDDDD").

App icon


After launching you will be prompted to grant device admin access to the application.

Request device admin access

Window requesting device administrator rights is pushed to foreground every second, it's practically impossible to cancel it. User is forced to grand administrator access to application. 
After activating your phone will be locked and if you want your phone to by unlocked again you have to pay ransom (500 rubles ~ 7.6 Euro). To not look so suspicious malware is accousing you for viewing porhograpy, scenes of rape, bestiality, pedohpilia and other perversions. If you will not pay within 36 hours, then it threatens to you, that it will send SMS to all your contacts that your phone has been locked for viewing scenes of  pedophilia after which all data will be deleted and phone will be locked forever! Pretty drastic right, who wants to have his phone to be locked forever :)

Locked screen requesting ransom

Malware will not encrypt your data and will not send SMS to all your contacts.


If you got infected there is a way to get rid of it, but firstly you need to have Android Debuge Bridge (ADB) on your computer. ADB is command line tool that lets you communicate with an emulator or connected Android device.

Firstly you have to stop running process executing the command: adb shell am force-stop commer.version.mantle

When process is stopped you have to remove granted device administrator access to this application from Settings -> Security -> Device administrators and deactivate it. When you try to disable it you will get made-up message "Internal application error".

Internal application error

After that ransom window starts again. You have to stop running process again and your malicious application is removed from list of device administrator applications. Now you have to uninstall application and never run it again.

Interesting on this malware is that only few strings are encrypted not all of them.

Detection rate for this sample isn't very high, when malware was uploaded on Virus Total only four vendors were detecting it.

Virus Total detection rate

Sample info

MD5: 5F7FE140E6447076567A5B0A80ADB723
Package name: commer.version.mantle

No comments:

Post a Comment