Malware News New Android Ransomware Goes Undetected by All Antivirus Programs

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A new type of Android ransomware was discovered in the wild. What makes this one particularly scary and noteworthy is the fact that no antivirus program has managed to detect it.

Researchers for Zscaler ThreatLabZ discovered the new ransomware in a popular app called "OK," a Russian entertainment social network apps. The legitimate app that's available in the Google Play Store, with somewhere between 50 and 100 million installs is perfectly clean and does not contain any malicious code. It is the alternative found on third party app stores that is dangerous.

The ransomware has a few extra features to make you feel safe. For example, after you've installed the app, the malware doesn't act immediately as such tools often do. Instead, it stays silent for four hours, allowing the phone to operate as it regularly does, and even the app will work like it is supposed to.

Four hours later, the app prompts users to add a device administrator, allowing the app to change the screen unlock password, monitor screen-unlock attempts, lock the screen and set lock-screen password expiration. Of course, this sounds extremely suspicious so users might very well tap "cancel."

Even if this happens, the prompt reappears quickly, preventing the user from taking another action or uninstalling the app. If the user gives in and agrees to give the app admin powers, the ransom note appears on the screen. Attackers demand 500 rubles as payment, which is close to $9,000.

"We analyzed the sample further to understand whether the malware actually sends a user's data to a server. We didn't find any personal data leak as claimed by the ransomware and were not surprised when we found that the ransomware is NOT capable of unlocking the user's phone," the researchers note.

That means that even if the attacker pays the price, the ransomware will not stop operating and the victim will not be able to regain access to the phone. There is no functionality preset in the malware to confirm whether the user has paid the ransom or not, so it just continues to operate.

Stealthiness helps it dodge AV programs until it's too late
Researchers have concluded that this malware could end up injected into apps on the official Google Play Store quite easily. Mostly, that's because antivirus programs can't detect it due to the four-hour stealth tactic.

If you become infected, paying the ransom is useless since there's no way to get the malware to leave you alone. Instead, boot your device into Safe Mode, which disables third-party apps. Then, you have to remove the device admin privilege of the ransomware app, uninstall the app and reboot your device into normal mode. It's best to not install apps from unknown sources in the future, so you might want to go to the security settings area on your phone and de-select unknown sources from the device administration panel.
 

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
This would be a good time to remind everyone to Backup now. :eek:

frogboy, not just an excellent advice, but also a mandatory practice :)

This is why:
  1. You should (generally) buy a phone that gets regular updates/upgrades
  2. Do regular nandroid backups and move them away from the phone
  3. Pay attention to what permissions does the app need; if something smells fishy, don't install it, look for other alternatives, even if installing from the play store (which is generally safe enough, although there were cases when it turned out not to be)
  4. Do not (never ever) install apps from untrusted software repositories (app stores, other websites); the Play Store should be the number one place to look at, though there are others as well; but because Google has so much to lose if it screws up, it's the best maintained and best secured of them all
  5. Do not activate "allow installs from untrusted sources" in the phone security settings
  6. Install as few apps as possible, avoid games as much as possible (i know this is hard for many, but a healthy practice)
  7. Use 2FA wherever possible; this could be a lifesaver
  8. Did i mentioned regular nandroid backups?
Although Android is my number one phone OS, because of its popularity, it became the number one target for malware (as Windows is). Better safe than sorry (even a little bit paranoid - just a little) :p
 
Last edited:

Amelith Nargothrond

Level 12
Verified
Top Poster
Well-known
Mar 22, 2017
587
Last edited:

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
. It is the alternative found on third party app stores that is dangerous.
Always the same story and personally I would like to add to install just the necessary apps.
What could be the reason to use alternative markets? One of the reasons is to get cracked apps that maybe, if purchased, cost 2$...
The game is not worth the candle, never.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top