Security researchers from Zscaler ThreatLabZ have recently found a new type of Android ransomware which cannot be detected by the antivirus programs.
The new ransomware was noted in the app “OK,” which is among the most popular Russian entertainment social network applications.
The OK app is perfectly legitimate and available in the Google Play Store, with somewhere between 50 and 100 million installs. The genuine application does not contain malicious code, unlike the alternative one which is very dangerous and was found on third-party app stores.
The Android ransomware includes several new features. For instance, once you’ve installed the application, the malware doesn’t run immediately. Instead, it keeps silence for four hours, while the phone operates as usual, and the app works like it’s supposed to.
However, in four hours, the application prompts users to add a device administrator, letting the app change the screen unlock password, monitor screen-unlock attempts, lock the screen and set lock-screen password expiration. As this looks very suspicious, users might just tap “cancel” instead.
Though, even if they do so, the prompt will show up again and prevent the user from taking another action or uninstalling the malicious application. In case the user agrees to give the admin powers to the app, the ransom note gets immediately displayed on the screen, demanding 500 rubles, which is equal to approx. $9,000.
“We analyzed the sample further to understand whether the malware actually sends a user’s data to a server. We didn’t find any personal data leak as claimed by the ransomware and were not surprised when we found that the ransomware is NOT capable of unlocking the user’s phone,” the experts say.
It means that even if the fee is paid, the ransomware will continue to run and the victim will not regain the access to their phone as there is no functionality preset in the malware to confirm whether the user has paid the ransom or not.
According to security experts, the new Android malware could easily end up injected into apps on the official Google Play Store. This is due to the fact that the antivirus program is unable to detect the malware because of its four-hour stealth feature.
Considering the above-mentioned, it appears that if you get infected, paying the ransom is useless because the malware will not leave you alone. For that reason, you’d better boot your device into Safe Mode, which disables third-party applications. After that, you should remove the device admin privilege of the ransomware app, uninstall the application and reboot your device into normal mode.
The most important thing here, though, is not to install apps from unknown sources in the future. Thus, you can go to the security settings area on your phone and deselect all the unknown sources from the device administration panel in order to say safe from malware.
