These days, Ransomware has turned into a huge problem for users of mobile devices. Both, lock-screen types and file-encrypting “crypto-ransomware”, have been causing significant financial and data losses for many years, and now they have finally made their way to the Android platform. ESET has prepared a topical white paper on the growth of this insidious Android malware.
Similarly to the other types of Android malware, SMS trojans, for instance, ransomware threats have been evolving during the past years and malware writers have been adopting many of the same techniques that have proven to be effective in regular desktop malware.
Presently, lock-screens are usually of the “police ransomware” type, on both – Windows and Android. These are trying their best to scare the affected users and make them pay up after accusing them of harvesting illegal content on their devices.
Just like the infamous Windows Cryptolocker ransomware family, crypto-ransomware on Android started using strong cryptography, which meant that affected users had no practical way of regaining the hijacked files. Due to the fact that everyday data is now kept on smartphones rather than PCs by lots of people, the possibility of losing this data is currently greater than ever.
According to security researchers, the hackers are not that focused on Eastern European countries anymore. For instance, some recent families like Android/Simplocker and Android/Lockerpin, have been targeting victims in the USA now.
Ransomware is a type of malware which demands a sum of money from an infected user while promising to “release” a hijacked resource in exchange. There are two general categories of malware that fall under the category of ‘ransomware’:
- Lock-screen ransomware
- Crypto-ransomware
When the ransomeware is a lock-screen type, the hijacked resource is access to the compromised system. In file-encrypting “crypto-ransomware” that hijacked resource is the user’s files.
Since 2013, both types of ransomeware have been a very prevalent problem on the Windows platform. Ransomware infections have been causing trouble both to individuals and to businesses.
As users are switching more and more from PCs to mobile, more valuable data is currently being stored on these devices. For that reason, Android ransomware is becoming ever more worthwhile for cyber criminals.
In any case, all users of Android devices should be aware of ransomware threats and to take preventive measures. Among these measures are to take are avoiding unofficial app stores and having a mobile security app installed and kept up to date. Also, it is important to have a functional backup of all of important data from the device.
In case users do manage to get infected by ransomware, they have several options for its removal, depending on the specific malware variant.
For most simple lock-screen ransomware families, booting the device into Safe Mode – so third-party applications (including the malware) will not load – will do the trick and the user can easily uninstall the malicious application. The steps for booting into Safe Mode can vary on different device models. (Consult your manual, or ask Google – the search engine.) In the event that the application has been granted Device Administrator privileges, these must first be revoked from the settings menu before the app can be uninstalled.
If ransomware with Device Administrator rights has locked the device using Android’s built-in PIN or password screen lock functionality, the situation gets more complicated. It should be possible to reset the lock using Google’s Android Device Manager or an alternate MDM solution. Rooted Android phones have even more options. A factory reset, which will delete all data on the device, can be used as the last resort in case no MDM solutions are available.
If files on the device have been encrypted by crypto-ransomware such as Android/Simplocker, we advise users to contact their security provider’s technical support. Depending on the specific ransomware variant, decrypting the files may or may not be possible.
Still, the affected users should not pay the requested ransom, for several reasons. While it is true that some established Windows crypto-ransomware gangs have reached the level of professionalism where users will usually get their files decrypted, that is not always the case.
File-encrypting crypto-ransomware is extremely popular among malware writers and there are many different families of Windows Filecoders (the ESET detection name for the category). Many of them have jumped on to the ransomware bandwagon, hoping to copy the success of Cryptolocker and the like, but our technical analyses of all those families has shown that many of them are implemented poorly. For users, this means two things: Firstly, that even if they do pay up, their files may not get decrypted. Secondly, that it may be possible to decrypt their files without paying.
At the level of a single user or a business being a victim of crypto-ransomware and facing a loss of data, it boils down to a question of trust. Can the cybercriminals be trusted to keep their end of the bargain and decrypt the files after the ransom has been paid? Obviously, there are no guarantees. And even if the files are decrypted, there’s nothing stopping attackers from coming back for more.
As already mentioned, prevention by adhering to basic security principles, using updated security software on Android, and backing up your data (not only on the device itself) is a much more sensible option. And with all of those precautions being readily available and easy to use, there really is no reason not to do so.
