Mobile Ransomware: Are You Informed?
Guest blog by Wandera.
How much does your organisation know about ransomware?
Until now, if you did recognise the term, it likely would have been as a lesser known family of malware that affected Windows devices, mostly in Eastern Europe.
The unfortunate fact is that the recent rise in mobile ransomware attacks could easily have been anticipated.
One of the most prevalent trends in malware is hackers adopting techniques that work well on platforms like Windows and bringing them to life in the now very lucrative arena of mobile devices.
The eruption of Android ransomware was an obvious next step – and yet many companies missed the boat.
First and foremost, it’s important to understand what ransomware is.
Ransomware is a specific type of malware that demands money from a user and, in exchange, promises to release either the files or the functionality of the device being held hostage.
There are two types of ransomware:
1. Lock-screen ransomware
Lock-screen ransomware attacks the device from a system level, changing the PIN/password or overlaying a window over all other apps and demanding ransom to allow use of the device again.
Crypto-ransomware actually encrypts the files on the device and demands a ransom to have them unencrypted.
The difference between the two is in terms of the actual resource being retained by the attacker.
Both types of ransomware have wrecked havoc on individuals and businesses for many years, mostly on the Windows platform, causing major financial and data losses.
The fact that this type of malware has made its way to the Android ecosystem, coupled with the increased use of mobile devices to store valuable company IP, means potentially severe implications for your business without the right protection in place.
Infecting the device
Mobile ransomware spreads in the same way other types of Android malware do, through compromised applications.
These applications are readily available to users through third party app stores. Hackers will usually choose popular apps to mimic or infect, increasing the likelihood that victims will download their version.
Depending on the sophistication of the attack, the app may only portray the icon and name of the original application. Alternatively, the hacker may add malicious code to the existing app while retaining the original functionality. Usually this is done to silently install malware on a device without raising suspicions of users.
Command & Control
Once the ransomware has been installed, it usually sends information back to what’s called the Command & Control (C&C) server. These servers are simply the technical infrastructure that hackers use to control their attacks.
Thanks to its connection with the C&C server, ransomware can be directed to carry out any number of commands on the mobile device itself.
Other than simply locking the device and displaying a ransom message, hackers can gain the ability to send SMS messages, receive contact information, open websites in the browser, turn on/off data, turn on/off wi-fi and track your location through GPS.
Ransomware infected mobile devices can easily become hacker controlled ‘bots’, ready and willing to spread malware to more devices.
The mobile ransomware hall of shame
The first Android crypto-ransomware ever discovered (and still in existence today) is called Simplocker. It made its first appearance back in June 2014.
Users are infected when they download a “Flash Player” application and give it administrative privileges upon first launch. This results in the encryption of the device’s files.
At first, Simplocker’s encryption was fairly simple to decode as the encryption key was hardcoded inside the malware and wasn’t unique to every device. So, once the key was discovered, it was easy to unlock infected device files without paying ransom. Unfortunately, this is no longer the case as a new superior variant has been created.
This variant generates a unique encryption key for each device it infects which makes it especially difficult to decrypt files. Because of this, users are forced to wait until a solution to decrypt the files has been found.
As we’ve seen from our recent discovery of SLocker’s return, new variations of ransomware can be easily redesigned and deployed or packaged up with other pieces of malware to execute further, more sophisticated attacks.
Svpeng is a lock-screen malware that has the ability to both act as ransomware and steal users’ banking details. It was transmitted, interestingly enough, through a Google AdSense advertisement.
It made its first appearance back in June 2014 as a mobile malware that stole credit card information mostly from Russian citizens. It has subsequently evolved into a ransomware that locks the devices of North Americans.
Svpeng is not a crypto-ransomware so it is virtually impossible to repel an attack of the American version if a mobile device doesn’t have some sort of security solution. Once downloaded, the malware blocks the device completely rather than separating the files like Simplocker. Therefore, the device is rendered completely unusable and the only solution is to completely wipe the phone, losing all of the information stored on it.
Svpeng currently contains inactive encryption code so it is likely that it will soon be used to encrypt user data as well.
Koler is an incredibly interesting lock-screen malware that takes advantage of the C&C server we touched on earlier.
This ransomware has historically been distributed through pornographic sites, manifesting itself as an application. Recently however, it has begun spreading via SMS message.
Once installed, Koler locks the screen of the device and displays a fake notification from law enforcement accusing users of viewing child pornography. It then demands a fine in order to regain control of the device.
This is what we’ve come to expect of most ransomware variants, however this particular strain of Koler doesn’t stop there. It proceeds to send text messages to all of the contacts on a device that contains a mysterious URL, together with a note telling the contact the user has discovered photos of them online.
The URL links the contact to an APK stored on dropbox usually called “photoviewer”. Of course, there are no photos. The file contains the ransomware program repackaged to attack the victim’s device.
This particular variant of Koler again clearly builds upon the sophistication level of the previous version.
SLocker is a screen-lock ransomware that first starting hitting corporate devices back in December 2015. Once SLocker is executed, it starts a service that runs in the background of the device without the knowledge or consent of the user.
While initially operating stealthily, once the download is complete, the service will hijack the phone, blocking access, locking the screen and constantly showing an intimidating message.
This message usually threatens to expose or destroy the information on the device. Some versions of SLocker have been known to accuse users of having ‘perversions’ on their devices in order to frighten them into compliance.
Weeks after the initial wave of attacks, security companies patched the issue for their enterprise customers and the threat seemingly disappeared.
Over the past few months however, MI:RIAM, our mobile intelligence engine, has detected over 400 variants SLocker targeting businesses’ mobile fleets through easily accessible third party app stores and websites.
These variants have been carefully redesigned and repackaged to avoid all known detection techniques
This simply goes to show that ransomware very rarely disappears completely. It’s constantly reinventing itself, coming up with new intelligent ways to attack more devices, in increasingly harmful ways.
Protecting your business
You may have seen recently that Google has taken countermeasures to protect against Android ransomware. Its new OS called “Android O” will block system-type windows, even if the relevant permission have been granted by the device. These system-type windows are a popular choice among hackers when executing lock-screen ransomware.
This block definitely makes it more difficult for some types of lock-screen ransomware to function, however crypto-ransomware is completely unaffected it. In addition, those who haven’t upgraded to the new OS are left vulnerable.
To give you an idea of at risk most Android devices are, only 7.1% of all Android users have updated their devices to run on the latest operating system, ‘Nougat’, released in August 2016.
The best way to protect your mobile fleet is to have a security solution monitoring device traffic at all times and ensuring downloads of apps containing malware are prevented, prior to reaching the phone.
Policy controls are also valuable to have in place to ensure risky content categories, wherein users can easily come across malicious apps (for example, third party app stores), are proactively blocked. As you’ve no doubt realised, once malware has been installed on the device, the solutions available are limited.
In addition there are things users can do themselves to ensure they are protected. First, operating systems should always be kept up to date to ensure the latest security functionality.
Second, corporate devices should be backed up consistently to ensure minimal data loss should there be a ransomware attack.
Lastly, apps should be downloaded from official sources only. Permissions should be read carefully and access to device resources shouldn’t be permitted where it is not warranted by the app’s functionality.
It is absolutely vital that your business protect itself against mobile ransomware. Don’t get caught thinking this type of malware is a computer-only problem. Mobile is the new frontier for cyber threats, and if your business doesn’t adapt, it may end up paying a hefty price.