- Jan 24, 2011
- 9,378
The current generation of Android banking trojans are all equipped with ransomware-like features in order to lock the user's device, and in some cases encrypt his data.
Despite possessing such dangerous functions, very few Android banking trojans deploy them, focusing on their primary job of collecting login credentials for banking portals and instant messaging applications.
Nevertheless, when the ransomware feature is activated, the crooks behind the banking trojan do it for a very good reason.
Ransomware used as a secondary monetization system
In most cases, the trojan's ransomware feature is used as a secondary monetization feature, activated on devices where the original banking trojan has failed to collect login credentials or credit card details.
Not all users who get infected with an Android banking trojan use banking applications, so the ransomware feature is the crooks' last ditch effort to extract some form of payment from their victims.
One such threat is Android.SmsSpy.88, detected by Dr.Web security researchers this May and rented on underground hacking forums.
Ransomware used to keep victims "busy"
But there's a more insidious reason to activate a banking trojan's ransomware screen-locking feature, and that's to keep users busy as attackers initiate fraudulent transactions.
While the user is trying to figure out how to unlock his phone, crooks hope the victim would be to busy to see the SMS or email alerts he receives for large or fraudulent transactions that take place inside his bank account.
By the time the user manages to remove the ransom screen or reinstall his device, attackers had hours, even days, to move the stolen funds to different bank accounts, and withdraw them via ATMs, so authorities lose their tracks.
The best example for this is a malware detected only as Fanta SDK, discovered by Trend Micro at the end of May.
New banking trojan supports mobile crypto-ransomware
These two, Android.SmsSpy and Fanta SDK, along with the original Svpeng banking trojan, the first to add ransomware-like features, only came with support for locking the user's screen with a random PIN.
According to Kaspersky Lab's malware analyst Roman Unuchek, a recent version of the Faketoken (Trojan-Banker.AndroidOS.Faketoken) trojan has now added ransomware features that support encrypting user files as well, just like modern-day desktop ransomware.
The Faketoken encryption process uses the AES algorithm to lock files. Files with 89 different extensions are targeted, but according to Unuchek, the encryption feature is rarely used, the trojan focusing on its phishing capabilities, which currently target more than 2,000 financial apps and users in 27 countries.
Read more : It's Now Commonplace for Android Banking Trojans to Include Ransomware Features
