Armor for Android, ArmorforAndroid, Armor for Android malware, Armor for Android free, Android malware, James Green

Android Ransomware Resurfaces as Malware-for-Hire

Is this a start of a new trend? For the second time in as many months we have seen Android malware for sale on the criminal under-web. Cybercriminals have been selling computer malware and renting botnets for years, but in 2014, Android malware is popular enough to make its way to the malware sales floor.

The first Android ransomware up for sale: CryptoLocker, one of the most robust and successful PC ransomware threats of all time now with added capability to infect and seize control Android devices.


This devious Android threat arrives to devices as a drive-by-download when visiting unseemly websites (i.e. illegal pornography) from an Android device. These websites may also appear as a popup advertisement legal pornographic websites.

Fortunately for Android users the automatically downloaded CryptoLocker threat must be manually installed, so there is a chance to avoid infection. This is a great example of why you should never install any applications that you did not actively seek out. Pushy ads or automatic downloads are regularly used to distribute malware.

The automatically downloaded application is advertised as an app affiliated with the type of pornography portrayed on the associated website, but anyone who installs this application will quickly regret it. Other than the nefarious media content there no real warning the application is malicious. There are no suspicious permissions requested and the application name and icon are rather innocuous.


When installed the CryptoLocker ransomware hijacks the infected Android device and prevents the user from accessing information or using the device. An alert is displayed stating that the device has been observed viewing illicit content and has been locked by a government "cyber defense" agency from one of several different countries. To regain access to the locked device the victim must pay a "fine." Obviously this alert is a scam, this malware has no affiliation with any real government agency, but the threat very real. If the user ever wants access to their device and information they must pay the ransom in full.


To unlock the infected device the "fine" must be paid within 48 hours or the ransomware states a "criminal case will be opened against" the victim. A fake but compelling incentive to ensure prompt payment considering the applications advertised contents. The user can exit this ransom message to get back to their home screen but the rest of the device is locked. Any attempt to use the a device feature (phone call, web, apps, etc ) will re-launch the ransomware message.

These cybercriminals are not about to publish a mailing address bank account where the ransom funds can be sent, instead they use MoneyPak cards to anonymously receive the funds. The numerical amount of the ransom differs between currencies but the malware requests a payment of $300 in the US to unlock the infected device. The victim must purchase a MoneyPak card from a local shop for the correct amount and then enter the card and PIN number into fields provided within the ransomware message.


Once the ransom has been paid the device is restored to working order within 48 hours. The new Android CryptoLocker malware can operate in 31 different countries and has a different ransomware message for each (the following countries are targeted: Austria, Australia, Belgium, Bolivia, Canada, Czech Republic, Denmark, Ecuador, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Mexico, Netherlands, Norway, New Zealand, Poland, Portugal, Romania, Spain, Slovakia, Slovenia, Sweden, Switzerland, Turkey, United Kingdom, United States). If you are interested in viewing the ransomware message for different countries please visit the original analysis of this new CryptoLocker variant by malware analyst "Kafeine."

Android Protection

Knowing how to safely surf the web is one of the most important aspects of personal cyber security and education is one of the most powerful tools. If you know how to recognize malicious programs and applications you can avoid them altogether and save yourself the hassle and costs of recovering from a malware infection. Included below are a few points to keep in mind when using your Android device (or any computing device) to ensure that you are safe and secure on the web.

  • Be skeptical! Always research a program or application before installation. Research the application and the app developer to establish credibility. Review the product/developer website for customer support phone number or email and review the social media pages to see what people are saying about the product.
  • Avoid downloading apps or programs that found you. If you did not actively seek a program then avoid installing apps from pushy ads or automatic downloads.
  • Stay current with application and operating system updates. Updates often include security patches that are designed to fix newly discovered vulnerabilities.
  • Install and USE an Android antivirus application to protect you from threats that slip past your personal defenses.♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users.; Twitter:@James_AfA

Share This Story