Ransomware was not a word many were familiar with until WannaCry made its public debut on May 12, 2017 and infected devices at organizations in over 150 countries worldwide.

Media attention subsequently hit fever pitch around ransomware, resulting in full blown panic within companies. IT teams have been furiously backing up files, hiring security companies and sweating it out, awaiting the next vicious attack.
But how much does your organization actually know about ransomware? Until now, if you did recognize the term, it likely would have been as a lesser known family of malware that affected Windows devices, mostly in Eastern Europe.
The unfortunate fact is that the rise in mobile ransomware attacks could easily have been anticipated.
One of the most prevalent trends in malware is hackers adopting techniques that work well on platforms like Windows and bringing them to life in the now very lucrative arena of mobile devices.
The eruption of Android ransomware was an obvious next step – and yet many companies missed the boat.
mobile ransomware

Ransomware explained

First and foremost, it’s important to understand what ransomware is.
Ransomware is a specific type of malware that demands money from a user and, in exchange, promises to release either the files or the functionality of the device being held hostage. According to the Verizon Mobile Security Index, over 40% of all successful malware attacks involve ransomware.
There are two types of ransomware:

  1. Lock-screen ransomware
  2. Crypto-ransomware

The two categories differ in terms of the actual resource being retained by the attacker.
Lock-screen ransomware attacks the device from a system level, changing the PIN/password or overlaying a window over all other apps and demanding a ransom to allow use of the device again.
Crypto-ransomware actually encrypts the files on the device and demands a ransom to have them unencrypted.
Both types of ransomware have wreaked havoc on individuals and businesses for many years, mostly on the Windows platform, causing major financial and data losses.
The fact that this type of malware has made its way to the Android ecosystem, coupled with the increased use of mobile devices to store valuable company IP, means potentially severe implications for your business without the right protection in place.

Infecting the device

Modern ransomware distribution goes beyond the traditional methods of sending spam emails and launching infected websites. Most mobile ransomware spreads in the same way other types of Android malware does: through compromised applications. These applications are readily available to users through third-party app stores. Hackers will usually choose popular apps to mimic or infect, increasing the likelihood that victims will download their version.
Depending on the sophistication of the attack, the app may only portray the icon and name of the original application. Alternatively, the hacker may add malicious code to the existing app while retaining the original functionality. Usually, this is done to silently install malware on a device without raising suspicions of users.

Command & Control

Once the ransomware has been installed, it usually sends information back to what’s called the Command & Control (C&C) server. These servers are simply the technical infrastructure that hackers use to control their attacks.
Thanks to its connection with the C&C server, ransomware can be directed to carry out any number of commands on the mobile device itself.
Other than simply locking the device and displaying a ransom message, hackers can gain the ability to send SMS messages, receive contact information, open websites in the browser, turn on/off data, turn on/off wi-fi and track your location through GPS.
Ransomware infected mobile devices can easily become hacker controlled ‘bots’, ready and willing to spread malware to more devices.

The mobile ransomware hall of shame

The first Android crypto-ransomware ever discovered (and still in existence today) is called Simplocker. It made its first appearance back in June 2014.
Users are infected when they download a “Flash Player” application and give it administrative privileges upon first launch. This results in the encryption of the device’s files.
At first, Simplocker’s encryption was fairly simple to decode as the encryption key was hardcoded inside the malware and wasn’t unique to every device. So, once the key was discovered, it was easy to unlock infected device files without paying ransom. Unfortunately, this is no longer the case as a new superior variant has been created.
This variant generates a unique encryption key for each device it infects which makes it especially difficult to decrypt files. Because of this, users are forced to wait until a solution to decrypt the files has been found.
As we’ve seen from our recent discovery of SLocker’s return, new variations of ransomware can be easily redesigned and deployed or packaged up with other pieces of malware to execute further, more sophisticated attacks.

Svpeng is a lock-screen malware that has the ability to both act as ransomware and steal users’ banking details. It was transmitted, interestingly enough, through a Google AdSense advertisement.
It made its first appearance back in June 2014 as a mobile malware that stole credit card information mostly from Russian citizens. It has subsequently evolved into a ransomware that locks the devices of North Americans.
Svpeng is not a crypto-ransomware so it is virtually impossible to repel an attack of the American version if a mobile device doesn’t have some sort of security solution. Once downloaded, the malware blocks the device completely rather than separating the files like Simplocker. Therefore, the device is rendered completely unusable and the only solution is to completely wipe the phone, losing all of the information stored on it.
Svpeng currently contains inactive encryption code so it is likely that it will soon be used to encrypt user data as well.

Koler is an incredibly interesting lock-screen malware that takes advantage of the C&C server we touched on earlier. This ransomware has historically been distributed through pornographic sites, manifesting itself as an application. Recently however, it has begun spreading via SMS message.
Once installed, Koler locks the screen of the device and displays a fake notification from law enforcement accusing users of viewing child pornography. It then demands a fine in order to regain control of the device.
This is what we’ve come to expect of most ransomware variants, however this particular strain of Koler doesn’t stop there. It proceeds to send text messages to all of the contacts on a device that contains a mysterious URL, together with a note telling the contact the user has discovered photos of them online.
The URL links the contact to an APK stored on dropbox usually called “photoviewer”. Of course, there are no photos. The file contains the ransomware program repackaged to attack the victim’s device.
This particular variant of Koler again clearly builds upon the sophistication level of the previous version.

SLocker is a screen-lock ransomware that first starting hitting corporate devices back in December 2015. Once SLocker is executed, it starts a service that runs in the background of the device without the knowledge or consent of the user.
While initially operating stealthily, once the download is complete, the service will hijack the phone, blocking access, locking the screen and constantly showing an intimidating message.
This message usually threatens to expose or destroy the information on the device. Some versions of SLocker have been known to accuse users of having ‘perversions’ on their devices in order to frighten them into compliance.
Weeks after the initial wave of attacks, security companies patched the issue for their enterprise customers and the threat seemingly disappeared. However, in May 2017, Wandera detected over 400 variants of SLocker targeting businesses’ mobile fleets through easily accessible third party app stores and websites. These variants have been carefully redesigned and repackaged to avoid all known detection techniques
This simply goes to show that ransomware very rarely disappears completely. It’s constantly reinventing itself, coming up with new intelligent ways to attack more devices, in increasingly harmful ways.

Protecting your business

Google has taken measures to protect against Android ransomware with its operating system called “Android O” which will block system-type windows, even if the relevant permission has been granted by the device. These system-type windows are a popular choice among hackers when executing lock-screen ransomware.
This block definitely makes it more difficult for some types of lock-screen ransomware to function, however, crypto-ransomware is completely unaffected it. In addition, those who haven’t upgraded to the new OS are left vulnerable. According to our data. 57% of android devices are running an OS at least two full versions behind the current one.
The best measures you can take to avoid ransomware infection are as follows:

  • Keep operating systems up to date to ensure the latest security functionality is in place
  • Back up mobile devices consistently to ensure minimal data loss if there is a ransomware attack
  • Only download apps from official sources and read permissions carefully to ensure the app doesn’t have access to unnecessary functionality

In closing

It is absolutely vital that your business protect itself against mobile ransomware. Don’t get caught thinking this type of malware is a computer-only problem. Mobile is the new frontier for cyber threats, and if your business doesn’t adapt, it may end up paying a hefty price.
[text-blocks id=”3610″]