Android ransomware poses as FBI warning, demands $500 to unlock phone

Criminals also offering ransomware-as-a-service to other hackers

Android ransomware poses as FBI warning, demands $500 to unlock phone
Android ransomware poses as FBI warning, demands $500 to unlock phone

Ransomware posing as an FBI warning has been sent to thousands of Android smartphones and tablets with hackers demanding a US$ 500 (£324) fee to unlock victim's devices.

The news comes as security researchers have also uncovered a criminal ring that offers ransomware as a service, allowing hackers to easily create their own extortion malware.

The Android ransomware was detected by researchers working for Bitdefender. Around 15,000 spam emails had been sent out of the Ukraine containing an APK file purporting an Adobe Flash Player update. However, the file has been detected as Android.Trojan.SLocker.DZ.

When the file has been installed, a warning pops up purporting to be from the FBI telling the victim they have been caught visiting porn websites and the device would be locked until a $500 fine is paid. The fee has to be paid via MoneyPal and PayPal MyCash transfers to restore access.

If the victim tries to unlock the device themselves the fee increases to US$ 1,500 (£972).

"After pressing OK to continue, users see an FBI warning and cannot escape by navigating away," states Catalin Cosoi, chief security strategist at Bitdefender. "The device's home screen delivers an alarming fake message from the FBI telling users they have broken the law by visiting pornographic websites.

"To make the message more compelling, hackers add screenshots of the so-called browsing history. The warning gets scarier as it claims to have screenshots of the victims' faces and know their location."

"Unfortunately, there is not much users can do if infected with ransomware, even if this particular strain does not encrypt the files on the infected terminal. The device's home screen button and back functionalities are no longer working, and turning the device on/off doesn't help either, as the malware runs when the operating system boots,” he added.

In another development, security researchers at McAfee Labs discovered a website on the darknet that offers “ransomware-as-a-service”. Kits are being supplied to criminals with the developers taking a 20 percent cut in any takings.

Dubbed “Tox”, the tool can be customised by criminals whose coding skills may not be as proficient as some hackers but intent is just as deadly. The toolkit requires only a few steps to customise to the criminal's taste.

Tox runs on the Tor network and is set up to receive payments via Bitcoin.

Jim Walter, the director of advanced threat research for Intel Security, said the malware works as advertised, allowing criminals to extort money.

“We don't expect Tox to be the last malware to embrace this model. We also anticipate more skilled development and variations in encryption and evasion techniques,” he said in a blog post.

Andy Monaghan, senior researcher at Context Information Security told SC Magazine that it is rare that malware in installed onto Android devices without any user-interaction.

“Usually, the user is tricked into installing a malicious application, when they receive a prompt within their web browser suggesting that they should download software which will make their device ‘run faster' or even that their device is infected with malware and they need to download new ‘anti-virus' software, which turns out to be malware,” he said.

“These prompts generally occur when a user is browsing web sites, but other methods such as email, text or multimedia messages prompting users to click malicious web links could also cause such a prompt. The golden rule is to never accept such prompts and only install applications from official sources,” he added.

Cathal McDaid, head of data intelligence and analytics at AdaptiveMobile told SC via email that organisations can deal with this threat by implementing and educating their workers on best practices for mobile security, “which includes not opening and installing unknown or suspicious applications, especially from outside official App stores such as Google Play. They should also not pay the ransom if asked, as generally there are ways to recover data without doing this."

Intelligence director at Palo Alto Networks, Ryan Olson, told SC that in most cases of ransomware “those that are targeted will have their files returned because the cybercriminals don't want word getting round that their get-rich-quick scheme is a scam.”

“Some may not have even encrypted your files, but the ones that have had the most impact will have done so. Some are scams for sure, but if they all were then these criminals wouldn't have made as much money as they have because people would learn not to pay the ransom,” he added.

Dr Guy Bunker, senior vice president at Clearswift said that criminals target Android because as it has now become sufficiently high value as to be a target.

“The iPhone is more restricted in the way it can run multiple applications at the same time, as well as having better control over the apps which are installed. It doesn't mean that iOS devices won't be a target in the future, it's just that Android is easier to attack at this point in time,” he told SC.