Ransomware has become one of the most dangerous new forms of mobile malware. Previously exclusive to the desktop platform, this form of malware was a very successful means for cybercriminals to extort money from victims. Then, almost exactly a year ago, Android.Defender became the first ever ransomware style threat to target Android devices. Until recently mobile ransomware lay somewhat dormant, the only real development being a variant of Android.Defender found in late 2013. But within the last two months there have been three new mobile ransomware threats discovered.
All three Android ransomware threats are downloaded as fake Android applications and are capable of locking or encrypting data stored on infected devices. Android malware is most prevalent in Russia and as such Russian Android users are normally the target of new Android malware. However, these forms of ransomware broke the mold and have been observed targeting 35+ countries including the US and UK.
May 2104 marked the first great development in Android ransomware when Cryptolocker, wildly successful PC ransomware, migrated from PC to Android. On the Android platform Cryptolocker (also detected as Koler) locks an infected device under the pretext of viewing "banned pornography (child pornography/zoophillia/rape etc)." This ransom message appears to be from a legitimate sounding government agency (ex: USA Cyber Crime Center) from numerous different countries. The message goes on to say the victim must pay a fine in order to regain access to the device, failure to pay will result in the contents being permanently deleted and a criminal case being brought against the victim. At $300 to unlock the device Cryptolocker has the highest ransom of the three Android threats.
The second most expensive Android ransomware threat is a new version of the Svpeng Trojan which demands a $200 ransom. This Svpeng variant was discovered a month later in June and shares many similarities to the Cryptolocker ransomware. Both threats use the guise of a government agency locking a device for viewing illicit pornography, and both demand payment be made via a system called MoneyPak. Both threaten to publicly embarrass the victim, instead of criminal prosecution Svpeng threatens to send messages to all device contacts informing them of the victim's illicit pornographic activities.
It is odd that the most capable Android ransomware is also the threat with the least expensive ransom.Simplocker is the only Android ransomware yet discovered that is actually capable of encrypting files on the victim's device. Once installed the threat displays a ransom message and begins encrypting certain file types on the SD card. This ransom message is in Russian and also states that illicit pornographic images were detected. The ransom is demanded in Ukranian currency for the amount of 260 UAH, which amounts to about $20 USD. According to the ransom message, failure to pay will result in all encrypted files being lost.
First of all, we would like to urge users NEVER to pay a ransom! There is absolutely no guarantee paying the ransom will unlock your device or decrypt your files. Furthermore paying these cybercriminals encourages further crime, if the crime isn't profitable they will stop.
Android users it is important to be skeptical and review all applications before installing anything. Avoid untrustworthy sources and if you have any concerns you should research the application and app developer online. Look for a developer website, customer service number, and social media page and review each to establish credibility.
Users should regularly back up their data to a computer or cloud storage. If your device is infected with a ransomware threat we recommend that you turn it off immediately and factory reset the device. ♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA