How Ransomware Is Bleeding Over From Desktop to Mobile

Nokia recently released their Threat Intelligence Report - 2017.   One conclusion from their report was that ransomware is one of the biggest Android malware threats.

What is Ransomware?

Ransomware made big news in 2017 with headline worthy attacks such as WannaCry and NotPetya.  An extremely malicious type of malware, ransomware is designed to hold your data ransom.  Techniques include locking access to the victim’s data, encrypting the victim’s data thus denying access until ransom is paid to provide the decryption key; while others may threaten to publish the data unless a ransom is paid.  WannaCry made headlines in May after infecting PC’s inside many government and corporate offices including the United Kingdom’s National Health Service, FedEx and Telefónica among others, encrypting files and demanding ransom to be paid via BitCoin.

Shift To Mobile

Inevitably, threats on desktop PC’s will make their way to mobile devices. While ransomware isn’t new to Android in 2017, as noted in the Nokia report, Ransomware is one of the top Android Malware threats.  Notable families of ransomware include the Jisuts family which will lock a user out of their device until a ransom is paid.  Some Jisut variants will event talk to the victim in Chinese, others just change the wallpaper or homescreen in addition to locking out the user.  

Another recent headline grabbing Android Ransomware is DoubleLocker.  DoubleLocker  was based on the foundations of a banking trojan and is the first ransomware to misuse the Android accessibility services. Once installed DoubleLocker locks both the data and the device, encrypting all files and setting a PIN Code.  Setting itself as the home launcher makes it more persistent, reactivating each time the users hits the home button.  The mechanism to remove the malware is to reset to factory settings and wipe the device.

Ransomware Distribution

While Google Play has made strides to secure the Android app ecosystem through areas such as Google Play Protect.  The predominant route of infection is through third-party Android stores and side-loading.   The prevalence of third-party app stores makes this a not-insignificant problem, especially with third-party app stores accounting for 96% of the Android app market in China.

Ransomware, like many other malicious apps in these secondary markets, typically masquerades as legitimate applications.  This adds a further dimension to the problem, which is upstanding corporate brands being implicated in ransomware attacks. For example, DoubleLocker masquerades as a FlashPlayer app, but could be disguised as a banking or other legitimate looking application, depending on the audience that malicious actors want to target.

What can you do?

The best advice is to carefully vet applications that are being installed, especially from third party markets.  As a company, monitoring those markets for abuse of your brand and unauthorized use of your trademarks and brand assets is a responsible way to protect your customers as well as your reputation.  Use of Mobile App Security automation tools such as MI3 RECON, which implements Contextually Aware Security Testing, can automate Brand Monitoring of third party app markets in addition to risk scanning applications before deployment.

What To Do Next?

Contact us to see a demonstration of the RECON Platform

Watch an overview of the Mi3 Security Portfolio