Threat Intelligence

Top 7 Android Ransomware Threats

David Balaban
March 11, 2016 by
David Balaban

Malicious programs categorized as ransomware, which encrypts their victims' personal files and demands a ransom for restoring the locked data, proved to be extraordinarily profitable for cyber extortionists. A lot of infected users end up giving in to perpetrators' demands and pay to recover their data. Windows users are suffering most heavily from ransomware. As mobile platforms are exhibiting rapid growth in user count, though, ransomware authors have started to target mobile devices as well. Researchers rank ransomware the number one mobile malware threat for 2016. We can already list several known strains of Android ransomware at this point.

1) Android Defender

This one surfaced back in 2013. Android Defender is believed to be a pioneer in the array of mobile ransomware plagues accommodating rogue antivirus characteristics and the capability of locking the screen of an infected smartphone. This app is distributed via multiple shady sites, but Google's Play Store never was one of them. Users are duped into downloading something they think is Skype with a free phone call feature.

The app operates similarly to fake antivirus programs. Victims are told their gadget is infected with malware, and they need to pay 129 USD to resolve the issue, which is essentially a removal of nonexistent viruses. To appear trustworthy, the offending applet pretends to detect Android infections that exist, including Android.MailStealer. Android Defender's APK file contains an XML data file that stores the names of bogus threats reported by this malware. The purported malware database seems to increase in size every time a daily "update" completes, but that's just an effect from Java pseudorandom number generator functioning and not the real update.

The pest modifies some of the operating system settings so that the infected person is unable to do a factory data reset. The user may, therefore, have to perform a hard reset by connecting the gadget to a desktop computer. If something goes wrong during this process, the device may become inoperable.

The harmful program cannot be uninstalled by regular means. The threat prevents other apps from being executed, and causes system crashes once in a while. Overall, Android Defender disrupts the functioning of the mobile device, reports imaginary problems on purpose and acts as a ransomware threat.

If the victim refuses to pay, the app offers a discount, and the amount goes down to 89 USD. No matter how much you pay, though, you get nothing useful in return except a relief from discontinued popup alerts. The good news is that the malware has reportedly attacked only about 50 devices, and the criminals weren't very professional as they didn't even get the payment page working properly.

2) Simplocker

This sample is the first-ever Android ransomware that encrypts files. It emerged from the Russian underground forum and was originally spotted in the wild in summer 2014. Simplocker represents the Reveton family known for coining the infamous police ransomware. It denoted a revolutionary transition of crypto malware from Windows to Android. This pest locates files with certain extensions on the SD card, then leverages the AES algorithm to encode them, and ultimately triggers an extortion routine for data decryption. The compromised user is tricked into thinking the gadget was blocked by a law enforcement agency due to allegedly detected illegal activity involving child pornography or a similar felony. This is intrinsic to the aforementioned police ransomware. For the sake of persuasiveness, Simplocker displays camera feed from the targeted phone or tablet.

The first edition of this Trojan featured geo-restricted propagation. It only targeted Android users in Ukraine and Russia, and the ransom instructions were in Russian. The fee amounted to the local currency equivalent of 21 USD, and the victims could pay it using the MoneXy service. The files ciphered by this variant were easy to recover because the decryption key was hard-coded into the Trojan. Furthermore, the keys weren't unique for every infected gadget.

The second iteration is more sophisticated. Its distribution scope expanded to more countries, and the ransom notes are in English. The decryption keys are unique for each smartphone, which makes recovery barely feasible. The ransom amounts to 300 USD, and the infected users are supposed to submit it via MoneyPak pre-paid service.

The Simplocker payload is deposited onto Android devices through a fake Flash Player installation. The would-be victims get a misleading popup alert that promotes the shady setup, stating that it's mandatory for watching videos. If the ad is clicked and the installation begins, the phony Flash Player requests administrative privileges, which ultimately leads to the deployment of the crypto attack behind the scenes.

The malady reaches out to its C2 server every 60 minutes. When the connection is first established, it transmits identification data which is unique to the specific gadget, such as the OS, BUILD_ID, IMEI, PhoneNumber, OperatorName, etc. This Command and Control server, which is hosted on Tor anonymity network, subsequently issues the details for decryption after the victim submits the ransom.

3) Adult Player

Adult Player claims to be a porn video player solution. It's trickier than most counterparts as it does what's promised for a while without locking the device. It turns out, though, that the infection uses this timeout to its advantage, taking photos of the victim with the gadget's frontfacing the camera. This way, it collects stronger extortion arguments than just the risk of losing personal files, threatening the person also to make some embarrassing pictures public. The phone lock routine is accompanied by a ransom screen displaying the victim's photos.

Adult Player asks for administrative rights once installed and opened for the first time. When the unsuspecting user taps the "Activate" button on the app's interface, they see a spoof update page that only pretends to reflect an update routine. In fact, the malware uses a so-called reflection attack to load a new APK named "test.apk". The reflection technique is used to analyze and change the behavior of an object at runtime as opposed to compile time. In this case, the likely goal is to prevent detection and static analysis.

On the initial stage of the attack, the Trojan transmits the device model and Android version information over to a remote Command and Control server. Overall, it may connect to a total of 4 hard-coded domains. The size of the ransom being extorted is 500 USD, and it's payable via PayPal. A reboot does not get the lock screen out of the way.

At the end of the day, the device becomes virtually inoperable. Luckily, the troubleshooting isn't too complicated in this case: the user needs to reboot the gadget in safe mode, cancel admin privileges for the offensive app and then uninstall it. Predictably enough, this application is peddled on web forums and torrent pages and cannot be installed from any official online resources.

4) Lockerpin

Lockerpin, which pretends to be yet another x-rated media content player, is distributed in a similar fashion. Reputable services like Google Play are not involved in the spreading process. This campaign, however, is a lot more hazardous because it exploits the stock screen lock features built into Android.

More than 75% of Lockerpin victims are from the United States. The malware gets administrator-level permissions on the device as the victim unknowingly confirms this, thinking it's a harmless update that's being approved. Owing to the admin privileges obtained this way, the applet modifies the PIN code, thus making it impossible to access the smartphone or tablet. Lockerpin demands a fine of 500 USD for purportedly viewing and storing prohibited material. When the infected user tries to disable Device Admin for the Trojan, a call-back function will automatically restore the elevated permissions.

This infection has introduced a more sophisticated modus operandi to the Android lock screen malware environment since the locking principle no longer relies on just a recurrent triggering of the ransom warning at the foreground. Without root privileges in place, the victim cannot uninstall the malware because it overlays the Device Administrator window with a fake one. Therefore, tapping "Continue" simply reactivates the Trojan's privileges.

The malicious app can be safely removed in the event the Android device had been rooted before the attack. All it takes to get the job done in these favorable circumstances is launch ADB (Android Debug Bridge), enable debugging and obliterate all files related to the ransomware. Also, the user may be able to reset the PIN if an MDM (mobile device management) tool is running on the gadget. A factory reset fixes the problem as well, but it erases the victim's files.

The ransomware also adopts antivirus evasion techniques. In particular, it terminates the executables of ESET Mobile Security, Avast Mobile Security and Dr.Web for Android.

5) Lockdroid

This iteration of Android ransomware employs Google's Material Design to build a trustworthy-looking user interface. Material Design is a language created by Google that features grid-based layouts, fancy depth effects, and responsive visual components to deliver intuitive experience across the company's services. The criminals behind Lockdroid use this style to generate counterfeit legal warnings and display the harvested device logs along with sensitive user details in a bid to make the extortion scarier and more realistic.

The perpetrators are distributing Lockdroid by masquerading its payload as an application update package rolled out by Google. Tapping the "Continue" button on the phony "Package Installation" dialog effectively authorizes the harmful installation and furtively invokes the respective API. To that end, the infection harnesses a TYPE_SYSTEM_ERROR popup window generated on the highest UI layer. This window pretends to request permission to unpack the alleged update package components.

Then, the user is suggested to tap another "Continue" button on the "Installation is Complete" popup. The latter is, in fact, a TYPE_SYSTEM_OVERLAY window displayed on top of the administrator activation dialog. Therefore, users end up tapping the "Activate" option while they think they are simply moving on with the software update. Referred to as clickjacking, this type of fraud can only be deployed on devices running operating system versions under Android 5.0.

Having hit a device, the virus grabs the entirety of device logs such as the browser history, text messages and call records. This being done, it locks the phone and displays a ransom alert on the lock screen. The deceptive warning states that the user has accessed forbidden materials and that the respective logs are now in law enforcement's custody. The lock screen menu includes options to view the log details, making the risk appear yet more true-to-life. This isn't a new vector of ransomware activity, but the strain in question makes the collected private data available to the infected person.

6) Jiust

Jisut, also known as Android/LockScreen.Jisut is not a run-of-the-mill infection. Its distributors appear to pursue prankish objectives rather than be motivated by money. Propagation of this Trojan is mostly localized to China, and it was most likely created by unprofessional script kiddies.

The majority of Android ransomware samples demand their victims to submit ransoms via pre-paid services like MoneyPak or the Bitcoin cryptocurrency system, but the operators of Jisut seem to disregard anonymity completely. The lock screen displayed by Jisut tells the infected Android users to contact the scammers over QQ, a popular Chinese social network. According to the profiles, the extortionists are teenagers.

This virus was discovered in early 2014. Dozens of its variants have appeared ever since. Although some of their characteristics vary, they all leverage the same code. One of these spinoffs features a full-screen overlay, which is a black background that makes it look like the Android device is locked or turned off. A funny message is generated when the victim tries to reboot or shut down the gadget. For instance, the phone may play a shower scene audio from Alfred Hitchcock's Psycho movie while vibrating non-stop. Another edition of Jisut makes the victim tap a button reading "I'm an idiot" 1000 times, and the loop simply repeats afterward.

Aside from pranks proper, the malware can seriously affect the contaminated gadget. Some versions are capable of modifying the user-defined PIN or password that unlocks the device. Furthermore, Jisut may display a custom lock screen window like in the police ransomware scenarios. Some variants propagate by sending text messages containing a malicious hyperlink to all of the infected user's contacts.

7) Xbot

The relatively recent Xbot Trojan family encompasses more than 20 offending apps. This infection can steal Android users' personally identifiable data and banking credentials by leveraging a phishing hoax. To get the job done, it imitates Google Play payment screen and Login interfaces for several e-banking applications. Another nasty functionality is remote data encryption – Xbot can encode files stored on the SD card. Then, it tells victims to redeem their data by paying a ransom of 100 USD via PayPal. To top it off, the malware pilfers text messages and contacts.

Xbot mostly targets users in Australia and Russia. Based on code analysis, it appears to be a newer version of the infamous Trojan dubbed Aulrin, which surfaced in 2014. However, whereas Aulrin used Lua and .NET framework to operate, Xbot relies on the Rhino JavaScript engine by Mozilla. Furthermore, the Trojan employs DexGuard technology to prevent security researchers from reverse engineering its code.

The author of Xbot is most likely from Russia. The JavaScript code contains comments in Russian, and the above-mentioned Google Play phishing scam featured a misleading notification in the same language. Also, a Russian registrar was used to register some of the malware's Command and Control domains.

Xbot reaches out to its C2 server after infiltrating a device. Depending on the incoming commands, the infection may act differently. For example, if a "cc_notify" command is received the Trojan starts deploying the Google Play payment page fraud. In case the of "enable_inject" command, the malware looks for apps related to a number of Australian banks. If one is detected, a fake banking application interface is displayed on top of the original program, which allows the attackers to intercept the login credentials and transmit them to the C2 server.

In the event Xbot receives an "enable_locker" command, it encrypts the user's personal files and displays a ransom page. The alert says that the victim has five days to buy a 100 USD worth PayPal card and provide the card's number otherwise the files will be lost.

The Trojan can also parse text messages that the user receives from banks' premium rate numbers. This way, the scoundrels attempt to get hold of the person's account details and confirmation codes for various transactions.

Is Paying the Ransom a Good Idea?

Even if you end up deciding to pay the ransom, there is no guarantee that doing so will get your data back. In the unfortunate ransomware onslaught scenarios, there is a high risk of losing both the files and the money.

Another nontrivial argument is that your ransom is likely to be used for funding further progress of the malware industry. The submitted buyouts may contribute to the deployment of well-orchestrated and much more devastating cyber assaults further on.

Android Ransomware Prevention

  • Keep your Android software up to date.
  • Stay away from apps distributed on unfamiliar websites. Most ransomware samples emanate from application downloads available on freeware sites as well as third-party app stores.
  • Be sure only to install apps from reputable stores like Google Play or Amazon Appstore. Be advised, though; that caution won't hurt even if you stick with trustworthy sites like these. Scrutinize every applet and resort to user reviews before making up your mind.
  • Examine the set of permissions requested by every app.
  • Use a reliable mobile security suite.
  • Make regular backups.
David Balaban
David Balaban