When Ransomware Goes Mobile

By Special Guest
Feixiang He, Cyber Analyst, Check Point Software Technologies

While ransomware is an epidemic in the PC world, we see an entirely different trend in the mobile world where ransomware targets Android (News - Alert) devices almost exclusively. Among Android ransomware, we can identify three significantly different families, each with a different way of working.

The first family is screen blocker ransomware. This family makes normal interaction with the device screen impossible by forcing system-level alerts. The first sample, called Android fake defender, appeared in mid-2013 and claimed to be an anti-virus app. The malware indicated that the device was infected and demanded that victims purchase the full version to remediate the risk. If the user chooses to continue with the free version, the malware waited for a boot and then triggered a notification window every time the user interacted with the device.

In 2014, we saw the first mobile ransomware encrypt files, following the success of Windows-targeted crypto-lockers. The malware called simplocker, disguised itself as a porn app then spread itself using “Droppers,” app whose sole purpose is to install other malicious apps.

After launching, simplocker displayed ransom messages demanding the victim pay a fine to law enforcement agencies. This tactic imitates one used by the first computer ransomware. Meanwhile, another thread ran in the background to encrypt files on the SD card using AES encryption. The first variants used keys that were hard coded in plain text, making decryption possible, but as variants evolved they received keys from a C&C server, making decryption impossible.

The most recent mobile ransomware family is the Pin locker, which emerged early in 2015.

One instance called PornDroid pretends to be a porn player. The app presents a fake overlay to clickjack the user into granting it Admin-level privileges on the device. With these privileges, the malware changes the Pin code and locks the user out of the device. Similar to the crypto-locker family, the malware then displays a ransom message claiming to be from a law enforcement agency demanding the user pays a fine.

iOS is a different story 

We have yet to see an actual ransomware targeting iOS devices, but there was one case where iOS users were extorted. In 2015, attackers used credentials leaked from various website breaches like the eBay (News - Alert) breach to log into iCloud accounts. Once inside, the attackers locked users’ iPhones and iPads, demanding ransom in return for their release.

What’s the big difference from PC ransomware?

Unlike PC ransomware, mobile ransomware focuses on locking users out of a device since most users keep less valuable information there than PCs. This point becomes even clearer when considering the fact that due to Android sandboxing, malware cannot trivially access any memory partition it wants, but only the SD card, using the appropriate Android permission.

Also, unlike the PC world, mobile bankers still thrive. The cause for this is probably the ease with which mobile bankers can steal Two-Factor Authentications since they are usually sent to the mobile device. PC bankers, on the other hand, have a hard time bypassing this security measure.

Looking to the future, we expect to see Android ransomware use privilege escalation capabilities to inflict the same damage on devices, and not limit itself to the SD card. Furthermore, mobile ransomware infrastructures for sale will probably appear, similar to what has happened with mobile banker malware, which is offered for sale in various forums. We can also expect iOS to become a ransomware target as we have recently seen the appearance of KeRanger, the first OS X ransomware target Apple’s (News - Alert) Mac platform. 

About the Author

Feixiang He is a cyber analyst and blogger who focuses on mobile information security in Asia on the Check Point Software Technologies Research Team.