Researchers are warning that a new version of WannaLocker – essentially a mobile derivative of WannaCry ransomware – has been enhanced with spyware, remote access trojan and banking trojan capabilities.
Cybercriminals have been using the all-in-one malware package in a campaign targeting Brazilian banks and their Android mobile customers, according to a July 1 blog post from Avast.
Avast threat researcher Nikolaso Chrysaidos, who discovered the malware, reported via his Twitter account that this new WannaLocker version appears to be a trifecta of the WannaLocker ransomware user interface, the AhMyth RAT program and custom banking malware. (French security researcher Elliot Alderson replied to Chrysaido’s tweets, identifying the ransomware as SLocker – to which Chrysaido responded, “Yeah, it’s the same [thing].”)
“We believe this is the first sighting of this new mobile version of WannaLocker,” said Chrysaidos, as quoted by his company’s blog post. “It harvests text information, call logs, phone number and credit card information, and if it takes off it could be a very serious issue.”
The likely attack vectors in this campaign are malicious links or third-party app stores, Avast reports.
“The banking Trojan works by showing users a fake interface and urging them to address an issue with their account by signing in,” Avast’s blog post states. “When they do, the malware collects a wide range of data, including the mobile manufacturer and other hardware information, call log, text messages, phone number, photos from front and back camera, contact list, GPS location and microphone audio data.”