A GitHub user named hackerxphantom, or XPhantom, created XRansom. The user allegedly created the tool for educational purposes only, and based on the use of variants in the wild, malicious actors have been misusing it. For example, Free Followers is a variant that leveraged XRansom. XRansom is what is known as a builder - a tool that enables users to build ransomware payloads. XPhantom wrote the payload creation tool in Python, and its behavior is elementary. As advertised, the payload doesn't require root access and allows users to customize the payload by enabling customization of the app icon, app name, ransom note title and description, and the password to unlock the device.
Luckily, this isn't traditional ransomware that encrypts files. It is a locker that locks the user out of the device by using the SYSTEM_ALERT_WINDOW permission. An alert window with this permission type overlays the entire screen, and users can't dismiss the modal unless they perform a particular action. Well, the action here is a password that, even if the user enters it correctly, will close the alert window and have it immediately reopen again. It is an infinite loop, only terminated by restarting the device or killing the app process. It's not sophisticated ransomware, but ransomware nonetheless.
Although XRansom isn't ransomware - it's a ransomware creation tool - XPhantom created a sample payload called "xphantom.apk" included herein. They created it for demonstration purposes, and this is where the second ransom note and sample hash come from.
