Malware News New Android Ransomware Goes Undetected by All Antivirus Programs

[Exterminator]

A new type of Android ransomware was discovered in the wild. What makes this one particularly scary and noteworthy is the fact that no antivirus program has managed to detect it.

Researchers for Zscaler ThreatLabZ discovered the new ransomware in a popular app called "OK," a Russian entertainment social network apps. The legitimate app that's available in the Google Play Store, with somewhere between 50 and 100 million installs is perfectly clean and does not contain any malicious code. It is the alternative found on third party app stores that is dangerous.

The ransomware has a few extra features to make you feel safe. For example, after you've installed the app, the malware doesn't act immediately as such tools often do. Instead, it stays silent for four hours, allowing the phone to operate as it regularly does, and even the app will work like it is supposed to.

Four hours later, the app prompts users to add a device administrator, allowing the app to change the screen unlock password, monitor screen-unlock attempts, lock the screen and set lock-screen password expiration. Of course, this sounds extremely suspicious so users might very well tap "cancel."

Even if this happens, the prompt reappears quickly, preventing the user from taking another action or uninstalling the app. If the user gives in and agrees to give the app admin powers, the ransom note appears on the screen. Attackers demand 500 rubles as payment, which is close to $9,000.

"We analyzed the sample further to understand whether the malware actually sends a user's data to a server. We didn't find any personal data leak as claimed by the ransomware and were not surprised when we found that the ransomware is NOT capable of unlocking the user's phone," the researchers note.

That means that even if the attacker pays the price, the ransomware will not stop operating and the victim will not be able to regain access to the phone. There is no functionality preset in the malware to confirm whether the user has paid the ransom or not, so it just continues to operate.

Stealthiness helps it dodge AV programs until it's too late
Researchers have concluded that this malware could end up injected into apps on the official Google Play Store quite easily. Mostly, that's because antivirus programs can't detect it due to the four-hour stealth tactic.

If you become infected, paying the ransom is useless since there's no way to get the malware to leave you alone. Instead, boot your device into Safe Mode, which disables third-party apps. Then, you have to remove the device admin privilege of the ransomware app, uninstall the app and reboot your device into normal mode. It's best to not install apps from unknown sources in the future, so you might want to go to the security settings area on your phone and de-select unknown sources from the device administration panel.

 

[frogboy]

This would be a good time to remind everyone to Backup now.

 

[Amelith Nargothrond]

This would be a good time to remind everyone to Backup now.

frogboy, not just an excellent advice, but also a mandatory practice

This is why:

1. You should (generally) buy a phone that gets regular updates/upgrades
2. Do regular nandroid backups and move them away from the phone
3. Pay attention to what permissions does the app need; if something smells fishy, don't install it, look for other alternatives, even if installing from the play store (which is generally safe enough, although there were cases when it turned out not to be)
4. Do not (never ever) install apps from untrusted software repositories (app stores, other websites); the Play Store should be the number one place to look at, though there are others as well; but because Google has so much to lose if it screws up, it's the best maintained and best secured of them all
5. Do not activate "allow installs from untrusted sources" in the phone security settings
6. Install as few apps as possible, avoid games as much as possible (i know this is hard for many, but a healthy practice)
7. Use 2FA wherever possible; this could be a lifesaver
8. Did i mentioned regular nandroid backups?

Although Android is my number one phone OS, because of its popularity, it became the number one target for malware (as Windows is). Better safe than sorry (even a little bit paranoid - just a little)

 

[Solarquest]

Google: Ransomware on Android Is Exceedingly Rare

 

[Amelith Nargothrond]

Google: Ransomware on Android Is Exceedingly Rare

Fortunately true, chances to get hit by a ransomware on Android are less or equal with getting hit by lightning, twice - and as long as you keep updating/upgrading Android, you should usually be just fine. Still, specially if you have an older version of Android, better to be safe than sorry

 

[Winter Soldier]

. It is the alternative found on third party app stores that is dangerous.

Always the same story and personally I would like to add to install just the necessary apps.
What could be the reason to use alternative markets? One of the reasons is to get cracked apps that maybe, if purchased, cost 2$...
The game is not worth the candle, never.