Fusob is mainly spread via p*rn sites. On clicking the “Download App Now!” button, the Fusob ransom Trojan is downloaded onto the user’s device.
Once the Trojan is executed, it runs a check of the device language (Locale.getDefault().getCountry()), and for the following countries it will not perform any malicious actions:
- KZ Kazakhstan
- AZ Azerbaijan
- BG Bulgaria
- GE Georgia
- HU Hungary
- UA Ukraine
- RU Russian Federation
- AM Armenia
- BY Belarus
If the country is not included in the list, the Trojan asks for device administrator rights and displays a message notifying the user that the device is being updated. The device can be still used, but the Trojan blocks access to the device settings by overlaying them with its own window. This is how it protects itself from being removed.
Meanwhile, the Trojan collects information about the device and sends it to the attackers. In doing so, it uploads two different sets of data to the Command and Control (C&C) server. The first set of data contains information about the device, such as device model, the version of the operating system, etc. This data is encoded with the Base64 algorithm and uploaded to the criminals’ server. The second data set, among other things, contains the user location and the call log with names from the contact list. This set is encrypted by the AES algorithm and loaded to a malicious C&C server.
The Trojan then waits for the attackers’ command with the necessary data to block the device.
For this purpose, the Trojan uses an HTML file received from the C&C. The Trojan itself includes functionality that can be activated from this file. Among several functions integrated into the Trojan, two functions cause particular concern. They are: getImage(), which takes a photo with the help of the device’s front camera, and inst() used to install a previously downloaded APK file.