The recent global outbreaks of the WannaCry and Petya/GoldenEye ransomware variants shook the tech and business world. Traditionally designed as a for-profit malware scheme, ransomware encrypts important files on computers and demands a ransom to give you access to them again.
These cyberattacks mainly targeted outdated and unpatched Windows machines, which are vulnerable to a variety of NSA hacking tools leaked earlier this year. Since the flaws are wormable, the attacks even prompted Microsoft to make an unusual move - it released a patch for the now obsolete and unsupported operating systems to protect the apparent millions of users still using this outdated software.
Now, it looks like the ransomware attacks are expanding to the mobile world. A group of cybercriminals are reportedly mimicking the WannaCry attacks but are setting their sights on the Android mobile platform.
SLocker Android ransomware
Trend Micro researchers have uncovered a new variant of the SLocker Android ransomware and it's said to be copying the look and interface of WannaCry.
SLocker is one of the oldest Android screen locker and file encrypting ransomware around. It tricks its victims to pay the ransom by impersonating various law enforcement agencies like the FBI or the "Cyber Police." This strain of malware even crossed over to Android-powered smart TVs in the form of Flocker.
According to the researchers, this newly discovered Slocker variant, nicknamed ANDROIDOS_SLOCKER.OPST, is "notable for being an Android file-encrypting ransomware, and the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak."
The vectors for this ransomware variant are fake game guides, video players, and other apps that trick would-be victims into installing it. The sample captured by Trend Micro was disguised as a cheating tool for the game King of Glory. All apps originate from China.
Once installed, the icon for the malicious software looks nothing out of the ordinary since it appears like a regular game guide or cheating app. When it runs, it changes its name and icon and alters the infected Android gadget's wallpaper. It also replaces an activity called "com.android.tencent.zdevs.bah.MainActivity" and replaces it with an alias.
The ransomware then checks if it's been installed on the gadget before. If not, it then proceeds to search for certain text, pictures and video files (must be larger than 10 KB and smaller than 50 MB) on the gadget's storage and encrypts them.
"We see that the ransomware avoids encrypting system files, focuses on downloaded files and pictures and will only encrypt files that have suffixes (text files, pictures, videos)," Trend Micro noted. "When a file that meets all the requirements is found, the thread will use ExecutorService (a way for Java to run asynchronous tasks) to run a new task."
Once the files have been encrypted, the victim is then given three options to pay the ransom, which curiously still led to the same payment destination. The ransomware also threatens that if the ransom has not been paid after three days, the ransom price will be raised and even worse, all files will be deleted after a week.
Thankfully, according to BleepingComputer, it looks like the two perpetrators of this scheme, who hail from China, have been arrested. Chinese police stated the Android ransomware only affected fewer than 100 victims so far since the cybercriminals did not have the experience nor the tools to run a widespread campaign.
PROTECT YOUR MOBILE DEVICE
With the ever-growing threat of ransomware, you need to take precautionary steps. Here are suggestions that will help:
- Avoid downloading and installing apps from "Unknown Sources." - Only download apps from the official Google Play app store and make sure you check user reviews, too, before installing.
- Back up data regularly - this is the best way to recover your critical data if your computer is infected with ransomware.
- Make sure your backups are secure - do not connect your backups to computers or networks that they are backing up.
- Never open risky links in emails - don't open attachments from unsolicited emails, it could be a phishing scam. Ransomware can infect your gadget through malicious links found in phishing emails. Can you spot one? Take our phishing IQ test to find out.
- Have strong security software - this will help prevent the installation of ransomware on your gadget.
Backing up your critical data is an important safety precaution in the fight against ransomware. It's the best way to recover your files without paying a ransom.
We recommend using our sponsor IDrive. You can backup all your PCs, Macs and Android/iOS mobile devices into ONE account for one low cost! Go to IDrive.com and use promo code Kim to receive an exclusive offer.