Robert Lipovsky, malware researcher at ESET, has published a new blog post and whitepaper today which looks at the Android Ransomware industry and reveals new trends ESET is witnessing.
2017 was without a doubt the year of ransomware. Users and businesses worldwide had to cope with the fallout of massive campaigns such as Petya or WannaCryptor and put up with damages that surpassed a multibillion mark.
However, it wasn’t just PC ransomware that made headlines, as authors of Android malware were also looking for new revenue streams. In this new study, ESET reveals data from ESET’s detection telemetry around the current trends connected to Android Ransomware. The full report can be found here, however key findings are detailed below.
ESET will be discussing the findings of the research at Mobile World Congress (ESET booth – H41, located in hall 7) this month, if you are interested in a briefing at the show please let me know.
- One of the most prominent novelties seen over the course of 2017 was the misuse of Android’s accessibility services, a functionality designed to help users with disabilities. At first, this kind of abuse was typical of Android banking malware, however, by the end of the year, it spilled over also to the Android ransomware scene.
- A dedicated chapter of ESET’s paper details this malicious code, documenting its primary infection vector as well as its unique two-fold extortion method.
- Despite these new developments, the most popular attack technique remains screen-locking followed by a ransom demand. According to ESET telemetry, the most frequently detected variants of Android ransomware using this extortion method belonged to the Android/Locker family.
- One of the most innovative ransomware families was discovered by ESET researchers in the fall of 2017, dubbed DoubleLocker. While built on the foundations of a previously seen banking trojan, the malware didn’t have the functions related to harvesting victims’ banking credentials nor did it try to wipe their accounts directly. Instead, it has received two powerful tools for extorting money.
- DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data it finds in them – a unique combination that has not been seen previously in the Android ecosystem.
- The malware is distributed mostly as a fake Adobe Flash Player through compromised websites. Once launched, the app uses its disguise to request the activation of accessibility services. If accepted by the user, DoubleLocker misuses the permissions to activate device administrator rights and sets itself as the default Home application. This trick allows the ransomware to be activated whenever the home button gets clicked.
- DoubleLocker creates two reasons for the victim to pay:
- First, it changes the device’s PIN to a random value that the attackers neither store nor send anywhere, making it impossible for the user or a security experts to recover it. After the ransom is paid, the attacker can remotely reset the PIN and unlock the device.
- Second, DoubleLocker encrypts all files in the device’s primary storage directory. It utilizes the AES encryption algorithm, appending the extension “.cryeye”. As the encryption is implemented properly, there is no way to recover the files without receiving the encryption key from the attackers.
- The ransom has been set to 0.0130 BTC (approximately USD 54 at time of discovery) and the message highlights that it must be paid within the next 24 hours. The only good news is that victims don’t have to comply with the attackers’ deadline – after the time runs out, the encrypted files are not deleted or damaged in any (additional) way.
Subscribe to Our Newsletter Today
Stay in touch with the business insights for your online business
We do not share your information and you can unsubscribe anytime
Connect With Us And Other Small Business Owners
Please head over to our Facebook Group for Small Business Sellers and interact with other small business owners.