Skip to main content

New types of android ransomware

(Image credit: Image Credit: CyberHades / Flickr)

The impact of ransomware isn’t isolated to computers and servers. Lured by the ubiquity of smart mobile devices and the fact that most people store valuable data on them, online extortionists are increasingly targeting these gadgets nowadays. Moreover, it turns out that Android, the world’s most popular mobile operating system, is low-hanging fruit when it comes to these attacks.

Boasting a 76 per cent global market share, this platform is a goldmine of exploitation opportunities for malicious actors. Remarkable flexibility is undoubtedly on the plus side of Android in terms of the user experience, but it is also a weak link that allows crooks to bypass security mechanisms when distributing their infections. The following sections will give you the lowdown on notorious outbreaks of Android ransomware and shed light on the best practices of protecting your device against the emerging plague.

FileCoder ransom Trojan self-spreading over SMS spam

In mid-July 2019, mobile security researchers discovered a strain of Android ransomware that leverages a very peculiar, multi-pronged propagation technique. Codenamed Android/FileCoder.C, this culprit is doing the rounds through a combo of malware-riddled links posted on popular online discussion forums and text messages sent from devices that have already been contaminated.

The crafty architects of this campaign originally wrote booby-trapped comments on Reddit and XDA Developers portal, encouraging the other users to click unsafe links or use the embedded QR codes that led to the malicious app downloads. To arouse the forum members’ curiosity, these messages claimed to advertise NSFW content, such as adult videos or sex simulation apps. The offensive posts were promptly deleted due to fraud reports from the analysts, but the toxic apps had collected dozens of downloads by that time.       

Once an unsuspecting user runs the .apk file provided by the criminals, the camouflaged ransomware requests quite a few permissions on the target device so that it can read and write to external storage, set a new wallpaper, read contacts, send text messages, and access the Internet. With more than 40 language versions available, the infection covers a maximum audience.

As soon as FileCoder gains a foothold on the Android device, it sends eye-catching SMS messages with the dangerous links in them to all of the victim’s contacts. To instill more trust, it inserts a contact’s name at the beginning of each message. The catch is that the linked-to application allegedly contains the recipient’s photos, so people are quite likely to get interested and follow the link. As a result, the Trojan can spread itself autonomously, using an infected gadget as a launch pad for further proliferation.

The next move of the pest is to scour the device’s storage for personal data and encrypt all the detected entries with a mix of AES and RSA ciphers. The name of every hostage file is concatenated with the .seven extension. Then, FileCoder replaces the victim’s wallpaper image with a ransom note that demands 0.01 Bitcoin (about $120) for the secret decryption key. Although the alert says that the files will be completely erased unless the ransom is paid during 72 hours, this appears to be an empty threat with no real data wiping functionality behind it. One way or another, this attack is revolutionary to an extent and it certainly does a lot of harm to those infected.

WannaLocker, mobile threat mimicking WannaCry

A sample of Android ransomware dubbed WannaLocker wrought the most havoc in June 2017. Its distribution was limited to Chinese users, and it specifically zeroed in on mobile gaming fans. The malicious payload was camouflaged as a plugin for “King of Glory”, a game that was going viral in China around that time. The ransomware operators uploaded the deleterious program to popular gaming forums and included an enticing description to dupe users into downloading and launching it.

The pseudo-plugin would conceal its icon from the app drawer to avoid quick removal in case the victim noticed the foul play from the get-go. Then, the infection would start encoding data found on the external storage, where most Android users keep their photos, videos, documents, and other personal information. It employed symmetric AES cryptosystem to lock down the files, skipping objects that were smaller than 10 kilobytes, ones with a dot preceding the filenames, and items located in folders with the following terms in their names: “android”, “DCIM”, “com.”, “miad”, and “download”.

Having completed the encryption, the offending code would display a ransom message that looked nearly identical to the alert shown by WannaCry, the infamous Windows ransomware that had been spreading cyber mayhem around the world during the previous month. This resemblance was probably an extra scare element of the mobile campaign aimed at pressuring the victims into coughing up the ransom.

WannaLocker demanded 40 RMB (Chinese Renminbi), worth roughly $5, payable with WeChat, Alipay, and QQ. Besides the low amount, this was also unusual because payments in regular currency could be easily traced back to the ransomware distributors. Analysts argue that the non-cryptocurrency ransom approach meant this gang was recklessly going after quick enrichment. WannaLocker has evolved significantly ever since. In July 2019, its new variant was discovered that goes bundled with a RAT (Remote Access Trojan) and a banking Trojan.

LeakerLocker ransomware spreading via Google Play

Android ransomware was booming in the summer of 2017. In addition to the above-mentioned WannaLocker, another strain surfaced a month later that really stood out from the rest. The security researchers who discovered the parasite coined a fairly self-explanatory name for it – LeakerLocker, based on the extortion tactic it used. Instead of encrypting the victims’ files, it threatened to leak their sensitive data to everyone on their contacts list in case of non-payment.

This ransomware was distributed under the guise of two benign-looking apps called “Booster and Cleaner Pro” and “Wallpapers Blur HD”. Both were available on Google’s Play Store. As a bait to make more victims, the malefactors paid a small reward to every user who installed the apps. This clever maneuver allowed the trojanised programs to collect about 10,000 installs in total before Google removed them from their marketplace.

When on board a device, LeakerLocker would harvest as much private information as possible, including the user’s browsing history, text messages, calls log, and photos. Then, it would show a ransom note stating that the entirety of the personal data has been copied to the attackers’ cloud. It also said that these records would be sent to all of the victim’s contacts unless a $50 ransom was paid within 72 hours. Although there is no evidence that LeakerLocker was actually capable of sending out the information it gathered, specialists claim this is technically feasible.

The uniqueness of this specimen was that it didn’t render one’s files inaccessible. It locked the screen with the scary ransom warning that prevented the victims from using their devices in the regular way until they sent the money. The payment channel was quite odd, too: the crooks instructed users to pay with their credit card. Again, this approach is a risky business that might get the extortionists chased down and caught by law enforcement. Poor OPSEC (operations security) is generally the weakest link of many Android ransomware campaigns.

How to protect your Android device from ransomware?

There is no one-size-fits-all recommendation in this regard. The most important thing to keep in mind is that blackmail infections mostly infiltrate Android smartphones because the users unwittingly allow them to. The incidents above demonstrate how easily scammers can brainwash people into installing a harmless-looking app or plugin that turns out to be a wolf in sheep’s clothing. Therefore, the fundamental tip is to exercise caution with suspicious downloads. A few more do’s and don’ts to stay on the safe side are as follows:

  • Keep the Android OS up to date
  • Don’t download apps from third-party sources (stick with Google Play)
  • Ignore pop-up ads that tell you to install or update an app
  • Refrain from clicking links received via SMS, instant messengers, or email
  • Don’t overshare on social networks
  • Use strong passwords
  • Use antivirus software for Android
  • Back up the most important data

The good news is that the present-day Android ransom Trojans aren’t nearly as sophisticated as their computer counterparts. They are quickly evolving, though. Under the circumstances, you should proactively safeguard your personal data and nurture a proper web surfing hygiene.

Eric Muntz, founder, Keone Software (opens in new tab)

Eric Muntz, founder Keone Software.