Early this month, a new variant of mobile ransomware SLocker (detected by Trend Micro as ANDROIDOS_SLOCKER.OPST) was detected, copying the GUI of the now-infamous WannaCry. The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom. After laying low for a few years, it had a sudden resurgence last May. This particular SLocker variant is notable for being one of the first Android file-encrypting ransomware, and the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak.Read More
65 million: the number of times we’ve blocked mobile threats in 2016. By December 2016, the total number of unique samples of malicious Android apps we’ve collected and analyzed hit the 19.2 million mark—a huge leap from the 10.7 million samples collected in 2015.
Indeed, the ubiquity of mobile devices among individual users and organizations, along with advances in technologies that power them, reflect the exponential proliferation, increasing complexity and expanding capabilities of mobile threats.
While the routines and infection chain of mobile threats are familiar territory, 2016 brought threats with increased diversity, scale, and scope to the mobile landscape. More enterprises felt the brunt of mobile malware as BYOD and company-owned devices become more commonplace, while ransomware became rampant as the mobile user base continued to become a viable target for cybercriminals. More vulnerabilities were also discovered and disclosed, enabling bad guys to broaden their attack vectors, fine-tune their malware, increase their distribution methods, and in particular, invade iOS’s walled garden.Read More
A few weeks ago, I spoke at Black Hat Europe 2016 on Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. While watching mobile ransomware from April 2015 to April 2016, I noticed a big spike in the number of Android ransomware samples. During that year, the number of Android ransomware increased by 140%. In certain areas, mobile ransomware accounts for up to 22 percent of mobile malware overall! (These numbers were obtained from the Trend Micro Mobile App Reputation Service.) One trend noticed during this time is that it closely mirrors the path paved by traditional ransomware: like other ransomware types, mobile ransomware is constantly evolving and growing.Read More
While SNSLocker isn’t a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland façade hid quite a surprise. After looking closer at its code, we discovered that this Ransomware contains the credentials for the access of its own server.
We also found out that they used readily-available servers and payment systems. This shows that the authors behind SNSLocker are in it for the same reason a lot of cybercriminals have moved to ransomware: easy setup of systems for massive infection, and quick return of income. However, they were either too quick or they aren’t investing that much on the operation when they left their credentials out in the open (The credentials have also been shared in social media by other security researchers). We have reported this finding to law enforcement agencies.Read More
We have recently caught sight of a mobile ransomware distributed by fake adult websites. It not only locks the device screen and display a warning supposedly coming from law enforcement—a tactic reminiscent of the Police Trojan that plagued desktops before—it also activates the unit’s front facing camera to add to its scare tactic. However, while it has routines unique to mobile ransomware, it also has a particular set of weaknesses that stand out.Read More