Ransomware continues to make waves, especially with the rise of file-encrypting ransomware like CryptoLocker. However, we are seeing yet another alarming development for this malware: it is now targeting mobile devices.
Reveton Makes a Comeback
In early May, it was reported that this mobile ransomware was the product of the Reveton gang. Reveton was one of the many cybercrime groups that spread police ransomware, which hit Europe and the U.S. and consequently spread to the other parts of the world.
It now appears that these cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware.
This is detected as ANDROIDOS_LOCKER.A and can be downloaded through a specific URL. The domain contains words like “video” and “porn,” which can give an idea of how users wound up on the site.
The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI.
It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content. The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions.
These URLs are hosted in two IP addresses located in the U.S. and in the Netherlands. Further analysis reveals that these IP addresses also host other malicious URLs, though not related to this particular malware.
The Continued Migration to Mobile and Best Practices
Over the last couple of years, “desktop” malware have continued to make their way to mobile endpoints. We reported last March that we encountered Bitcoin-mining malware that targets Android devices. To avoid these threats, we strongly suggest that you disable your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy.
This setting can be found under Security in the system settings of Android devices. On-device security solutions (like Trend Micro Mobile Security) provide an additional layer of protection that detects even threats which arrive outside of authorized app stores.
With additional analysis from Yang Yang and Paul Pajares