Top Android Ransomware Threats

Malicious programs categorized as ransomware, which encrypts their victims’ personal files and demands a ransom for restoring the locked data, proved to be extraordinarily profitable for cyber extortionists. A lot of infected users end up giving in to perpetrators’ demands and pay to recover their data. Windows users are suffering most heavily from ransomware. As mobile platforms are exhibiting rapid growth in user count, though, ransomware authors have started to target mobile devices as well. Researchers rank ransomware the number one mobile malware threat for 2016. We can already list several known strains of Android ransomware at this point.

Xbot

The relatively recent Xbot Trojan family encompasses more than 20 offending apps. This infection can steal Android users’ personally identifiable data and banking credentials by leveraging a phishing hoax. To get the job done, it imitates Google Play payment screen and Login interfaces for several e-banking applications. Another nasty functionality is remote data encryption – Xbot can encode files stored on the SD card. Then, it tells victims to redeem their data by paying a ransom of 100 USD via PayPal. To top it off, the malware pilfers text messages and contacts.

Xbot mostly targets users in Australia and Russia. Based on code analysis, it appears to be a newer version of the infamous Trojan dubbed Aulrin, which surfaced in 2014. However, whereas Aulrin used Lua and .NET framework to operate, Xbot relies on the Rhino JavaScript engine by Mozilla. Furthermore, the Trojan employs DexGuard technology to prevent security researchers from reverse engineering its code.

The author of Xbot is most likely from Russia. The JavaScript code contains comments in Russian, and the above-mentioned Google Play phishing scam featured a misleading notification in the same language. Also, a Russian registrar was used to register some of the malware’s Command and Control domains.

Xbot reaches out to its C2 server after infiltrating a device. Depending on the incoming commands, the infection may act differently. For example, if a “cc_notify” command is received the Trojan starts deploying the Google Play payment page fraud. In case the of “enable_inject” command, the malware looks for apps related to a number of Australian banks. If one is detected, a fake banking application interface is displayed on top of the original program, which allows the attackers to intercept the login credentials and transmit them to the C2 server.

In the event Xbot receives an “enable_locker” command, it encrypts the user’s personal files and displays a ransom page. The alert says that the victim has five days to buy a 100 USD worth PayPal card and provide the card’s number otherwise the files will be lost.

The Trojan can also parse text messages that the user receives from banks’ premium rate numbers. This way, the scoundrels attempt to get hold of the person’s account details and confirmation codes for various transactions.

Lockdroid
This iteration of Android ransomware employs Google’s Material Design to build a trustworthy-looking user interface. Material Design is a language created by Google that features grid-based layouts, fancy depth effects, and responsive visual components to deliver intuitive experience across the company’s services. The criminals behind Lockdroid use this style to generate counterfeit legal warnings and display the harvested device logs along with sensitive user details in a bid to make the extortion scarier and more realistic.

The perpetrators are distributing Lockdroid by masquerading its payload as an application update package rolled out by Google. Tapping the “Continue” button on the phony “Package Installation” dialog effectively authorizes the harmful installation and furtively invokes the respective API. To that end, the infection harnesses a TYPE_SYSTEM_ERROR popup window generated on the highest UI layer. This window pretends to request permission to unpack the alleged update package components.

Then, the user is suggested to tap another “Continue” button on the “Installation is Complete” popup. The latter is, in fact, a TYPE_SYSTEM_OVERLAY window displayed on top of the administrator activation dialog. Therefore, users end up tapping the “Activate” option while they think they are simply moving on with the software update. Referred to as clickjacking, this type of fraud can only be deployed on devices running operating system versions under Android 5.0.

Having hit a device, the virus grabs the entirety of device logs such as the browser history, text messages and call records. This being done, it locks the phone and displays a ransom alert on the lock screen. The deceptive warning states that the user has accessed forbidden materials and that the respective logs are now in law enforcement’s custody. The lock screen menu includes options to view the log details, making the risk appear yet more true-to-life. This isn’t a new vector of ransomware activity, but the strain in question makes the collected private data available to the infected person.

Lockerpin

Lockerpin, which pretends to be yet another x-rated media content player, is distributed in a similar fashion. Reputable services like Google Play are not involved in the spreading process. This campaign, however, is a lot more hazardous because it exploits the stock screen lock features built into Android.

More than 75% of Lockerpin victims are from the United States. The malware gets administrator-level permissions on the device as the victim unknowingly confirms this, thinking it’s a harmless update that’s being approved. Owing to the admin privileges obtained this way, the applet modifies the PIN code, thus making it impossible to access the smartphone or tablet. Lockerpin demands a fine of 500 USD for purportedly viewing and storing prohibited material. When the infected user tries to disable Device Admin for the Trojan, a call-back function will automatically restore the elevated permissions.

This infection has introduced a more sophisticated modus operandi to the Android lock screen malware environment since the locking principle no longer relies on just a recurrent triggering of the ransom warning at the foreground. Without root privileges in place, the victim cannot uninstall the malware because it overlays the Device Administrator window with a fake one. Therefore, tapping “Continue” simply reactivates the Trojan’s privileges.

The malicious app can be safely removed in the event the Android device had been rooted before the attack. All it takes to get the job done in these favorable circumstances is launch ADB (Android Debug Bridge), enable debugging and obliterate all files related to the ransomware. Also, the user may be able to reset the PIN if an MDM (mobile device management) tool is running on the gadget. A factory reset fixes the problem as well, but it erases the victim’s files.

The ransomware also adopts antivirus evasion techniques. In particular, it terminates the executables of ESET Mobile Security, Avast Mobile Security and Dr.Web for Android.

Simplocker

This sample is the first-ever Android ransomware that encrypts files. It emerged from the Russian underground forum and was originally spotted in the wild in summer 2014. Simplocker represents the Reveton family known for coining the infamous police ransomware. It denoted a revolutionary transition of crypto malware from Windows to Android. This pest locates files with certain extensions on the SD card, then leverages the AES algorithm to encode them, and ultimately triggers an extortion routine for data decryption. The compromised user is tricked into thinking the gadget was blocked by a law enforcement agency due to allegedly detected illegal activity involving child pornography or a similar felony. This is intrinsic to the aforementioned police ransomware. For the sake of persuasiveness, Simplocker displays camera feed from the targeted phone or tablet.

The first edition of this Trojan featured geo-restricted propagation. It only targeted Android users in Ukraine and Russia, and the ransom instructions were in Russian. The fee amounted to the local currency equivalent of 21 USD, and the victims could pay it using the MoneXy service. The files ciphered by this variant were easy to recover because the decryption key was hard-coded into the Trojan. Furthermore, the keys weren’t unique for every infected gadget.

The second iteration is more sophisticated. Its distribution scope expanded to more countries, and the ransom notes are in English. The decryption keys are unique for each smartphone, which makes recovery barely feasible. The ransom amounts to 300 USD, and the infected users are supposed to submit it via MoneyPak pre-paid service.

The Simplocker payload is deposited onto Android devices through a fake Flash Player installation. The would-be victims get a misleading popup alert that promotes the shady setup, stating that it’s mandatory for watching videos. If the ad is clicked and the installation begins, the phony Flash Player requests administrative privileges, which ultimately leads to the deployment of the crypto attack behind the scenes.

The malady reaches out to its C2 server every 60 minutes. When the connection is first established, it transmits identification data which is unique to the specific gadget, such as the OS, BUILD_ID, IMEI, PhoneNumber, OperatorName, etc. This Command and Control server, which is hosted on Tor anonymity network, subsequently issues the details for decryption after the victim submits the ransom.

Android Defender

This one surfaced back in 2013. Android Defender is believed to be a pioneer in the array of mobile ransomware plagues accommodating rogue antivirus characteristics and the capability of locking the screen of an infected smartphone. This app is distributed via multiple shady sites, but Google’s Play Store never was one of them. Users are duped into downloading something they think is Skype with a free phone call feature.

The app operates similarly to fake antivirus programs. Victims are told their gadget is infected with malware, and they need to pay 129 USD to resolve the issue, which is essentially a removal of nonexistent viruses. To appear trustworthy, the offending applet pretends to detect Android infections that exist, including Android.MailStealer. Android Defender’s APK file contains an XML data file that stores the names of bogus threats reported by this malware. The purported malware database seems to increase in size every time a daily “update” completes, but that’s just an effect from Java pseudorandom number generator functioning and not the real update.

The pest modifies some of the operating system settings so that the infected person is unable to do a factory data reset. The user may, therefore, have to perform a hard reset by connecting the gadget to a desktop computer. If something goes wrong during this process, the device may become inoperable.

The harmful program cannot be uninstalled by regular means. The threat prevents other apps from being executed, and causes system crashes once in a while. Overall, Android Defender disrupts the functioning of the mobile device, reports imaginary problems on purpose and acts as a ransomware threat.

If the victim refuses to pay, the app offers a discount, and the amount goes down to 89 USD. No matter how much you pay, though, you get nothing useful in return except a relief from discontinued popup alerts. The good news is that the malware has reportedly attacked only about 50 devices, and the criminals weren’t very professional as they didn’t even get the payment page working properly.

Android Ransomware Prevention

• Keep your Android software up to date.
• Stay away from apps distributed on unfamiliar websites. Most ransomware samples emanate from application downloads available on freeware sites as well as third-party app stores.
• Be sure only to install apps from reputable stores like Google Play or Amazon Appstore. Be advised, though; that caution won’t hurt even if you stick with trustworthy sites like these. Scrutinize every applet and resort to user reviews before making up your mind.
• Examine the set of permissions requested by every app.
• Use a reliable mobile security suite.
• Make regular backups.