The Android banking trojans already include ransomware features. Their main purpose is locking the user’s device and encrypting his data.
Even though the Android banking trojans are really dangerous, very few of them focus on collecting login credentials for banking portals and instant messaging applications. However, once the ransomware feature is activated, the developers of the banking trojan are fully satisfied with the result.
Usually, the ransomware feature of the trojan is used as a secondary monetization feature, activated on devices where the original banking trojan has failed to collect login credentials or credit card details.
Due to the fact that not all the users infected with an Android banking trojan use banking applications, the ransomware feature is the last chance of the hackers to take the victims’ money.
A threat with a ransomware feature is Android.SmsSpy.88. It was detected in May, this year, by Dr.Web security researchers and rented on the underground hacking forums at once.
However, there is another insidious reason to activate a banking trojan’s ransomware screen-locking feature – to keep users busy while cyber criminals initiate fraudulent transactions.
While the user is trying to figure out how to unlock his phone, the hackers hope the victim would be to busy to see the SMS or email alerts he receives for large or fraudulent transactions that take place inside his bank account.
Until the victim removes the ransom screen or reinstall his device, the criminals had hours, or even days, to transfer the stolen money to different bank accounts, and withdraw them via ATMs. In this way, the police cannot identify the hackers. An example for such an attack is a malware called Fanta SDK, discovered by Trend Micro six months ago.
Android.SmsSpy and Fanta SDK, together with the original Svpeng banking trojan, were the first to add ransomware-like features and came with support for locking the user’s screen with a random PIN.
The Kaspersky Lab’s analyst Roman Unuchek claims that a recent version of the Faketoken (Trojan-Banker.AndroidOS.Faketoken) trojan has included ransomware features which support encrypting user files as well, just like modern-day desktop ransomware.
The Faketoken encryption process uses the AES algorithm to lock files. Files with 89 different extensions are targeted, but according to Unuchek, the encryption feature is rarely used, the trojan focusing on its phishing capabilities, which presently target over 2,000 financial apps and users in 27 countries.
The Android banking trojan was first registered in July 2016, but its crypto-ransomware feature shows a glimpse of the future of Android banking trojans, which will find ways to extort money from all victims.
Last week, another Android banking trojan called Tordow was found, and it featured support for encryption-based ransomware features. However, because of the mobile OS landscape nowadays, mobile ransomware is not as dangerous as on desktops and laptops.
“We would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently),” Unchuk states, “which may be because most files stored on a mobile device are copied to the cloud. In other words, demanding a ransom in return for decrypting them is pointless.”