Remember the SLocker malware outbreak you heard about last summer? The one that held Android devices ransom until the user paid whatever the hacker demanded? The threat that seemingly disappeared after only a few weeks?

We do. It affected thousands of mobile devices, wreaking havoc on the global business community. But don’t be fooled – malware doesn’t disappear that easily.
Wandera has discovered that SLocker is making a comeback, and this time it is more resilient to the defensive protections provided by security tools.
Our mobile intelligence engine, MI:RIAM, has identified nearly 400 unique samples of SLocker malware in distribution, and that number is rapidly increasing.
These 400 variants of the so called ‘polymorphic’ exploit are not only designed to evade detection by signature-based scanners, but they also contain new malicious functionality.


What is SLocker malware

SLocker is a ransomware that encrypts images, documents and videos on your mobile device to later ask for ransom to decrypt the files. Once the malware is executed, it starts a service that runs in the background of your device without your knowledge or consent.
While initially operating stealthily, once the file encryption process is complete, the service will hijack your phone, blocking your access, locking your screen and constantly showing you an intimidating message. This message usually threatens to expose or destroy the information on your device. Some versions of SLocker have been known to accuse you of having ‘perversions’ on your device in order to frighten you into compliance.
The only way to take back full control of your phone is to pay the ransom demanded, or risk destruction or exposure of your personal data.

What happened?

SLocker malware plagued the mobile business environment for weeks back in mid 2016. These attacks were estimated to have resulted in tens of millions of dollars in ransom paid to recover data from the hackers. Weeks after the initial wave of attacks, security companies patched the issue for their enterprise customers. Devices were updated and the threat seemingly disappeared.
Over the past few months, MI:RIAM, our mobile intelligence engine, has detected over 400 variants of that same malware. These strains are targeting businesses’ mobile fleets through easily accessible third party app stores and websites where rigorous security checks go by the wayside.
These variants have been carefully redesigned and repackaged to avoid all known detection techniques. They utilize a wide variety of disguises including altered icons, package names, resources and executable files in order to evade signature-based detection.
The good news is MI:RIAM saw through them, all thanks to her advanced machine learning techniques.

SLocker malware detected by MI:RIAM broken down by subvariant family

As you can see on the graph below, the second surge of malware brought on 400 new variants of SLocker after the initial wave of attacks back in mid-2016. In total, approximately 3,000 variations of this ransomware were detected by MI:RIAM.

How did she do it?

Only the advanced intelligence of MI:RIAM could surface the secretive return of this malicious strain of malware. Using the latest in machine learning technology, MI:RIAM recognized the sophisticated digital DNA of SLocker, drawing upon millions of historical data points to investigate the malware’s architecture. This allowed her to detect the variations of malware that the hackers had created to bypass conventional security scans.
While traditional security engines rely on identical signature-based detection, MI:RIAM learns the structural patterns of malware and other threats, enabling her to uncover brand new threats like SLocker and protect your mobile fleet.
Not only that, but MI:RIAM enables Wandera to block these attacks proactively through its secure mobile gateway, stopping them before they even reach the device. This can only occur thanks to her continuous knowledge of the fleet’s traffic.
Every single device enabled with Wandera is monitored and analyzed by MI:RIAM, for every single second of every single day.
Many businesses are currently being hit over and over again by variations of perpetuating malware attacks that their security solution cannot recognize or protect against.
In contrast, Wandera customers can sleep soundly, knowing they are protected by MI:RIAM’s always-on detection capabilities.

What else can she do?

As you’ve no doubt realized by now, MI:RIAM is unmatched at detecting zero-day malware threats such as SLocker. She possesses the unique ability to identify previously undiscovered threats and is constantly exposing new leaks, risks and vulnerabilities to protect the mobile fleets of Wandera customers.
Her capabilities, however, extend beyond threat detection. One of MI:RIAM’s key strengths lies in anomaly detection. Taking in over two billion daily inputs from all of the mobile devices connected to Wandera’s global platform, she has the capacity to compare the behavior of your device to that of your colleagues, your superiors and even those at other companies within your industry around the world.
MI:RIAM even has the ability to automatically identify peer groups of devices that share similar behavioral patterns and compare them in real-time. She is therefore, consistently trained on the standard operating procedure of devices, applications, Wi-Fi access points and user groups so she can easily identify when these properties are engaging in odd or anomalous behavior.
MI:RIAM put her anomaly detection proficiency to use when she protected an American pharmaceuticals company from a rogue internal threat. This company thought it was fully protected from data leak by its water-tight MDM controls, preventing any kind of unsolicited app-based cloud storage. However, the company found that Wandera, with the benefit of MI:RIAM intelligence, is the only solution that offers complete visibility into the mobile fleet. Take a closer look at what happened here.

The machine advantage

There will always be the need for human talent, but with MI:RIAM’s breakneck speeds, universal focus, tireless ethic, constant connectivity, unfailing accuracy and continuous improvement, it’s clear that there are some things machines can simply do better than humans.
That’s the smart approach to mobile security.

Interested in hearing more about machine learning for security?

Read the whitepaper

[text-blocks id=”threat-advisories”]