Android Users Beware -- ‘Mandiant’-Branded Malware Identified

FireEye Labs recently identified malware for Android devices that masquerades as a Mandiant product. The malware can lock Android devices and displays a lock screen that uses the Mandiant brand.

To a victim in the United States, this lock screen may appear as:

Figure 1

To try to make the lock message more convincing, the criminals can use a different header image depending on the victim's country:

Banner displayed to victims in the US
Banner displayed to victims in the US
Banner displayed to victims in Australia
Banner displayed to victims in Australia
Banner displayed to victims in Ireland
Banner displayed to victims in Ireland
Banner displayed to victims in Poland
Banner displayed to victims in Poland
Banner displayed to victims in France
Banner displayed to victims in France

The Android malware is typically delivered by tricking the victim into installing it after visiting a malicious website. Once installed, it will run every time the device boots and displays the lock screen. The malware can communicate with several command and control servers using the following domains:

- police-strong-mobile[.]com

- mobile-policeblock[.]com

- police-secure-mobile[.]com

- police-scan-mobile[.]com

- police-mobile-stop[.]com

- police-guard-mobile[.]com

Our research indicates police-strong-mobile[.]com is actively in use, and has been online since March 29, 2014.

The apps themselves are well obfuscated-the method names inside the app are written in non-meaningful strings. The methods the app calls are constructed using a 5-byte XOR key dynamically. We have also noticed different XOR keys used for every different decoding instance. The app also blocks access to images, and it forces the user to pay a fee to access the contents.

This isn't the first time that we've seen cybercriminals trading on Mandiant's brand. Last year, Mandiant identified PC malware that was locking users' computers and displaying content saying the system was locked due to criminal activity. As we indicated last year, this is part of a scam designed to extort money from victims.

We recommend victims of this malware report the incident to the Internet Crime Center.