This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

'First Android ransomware' to target UK

Share this article:

What's claimed to be the first Android mobile ransomware to hit UK users has been discovered as hackers race to target these devices - with three separate ransomware attacks being revealed in the last ten days.

Fake AV apps spotted on Google Play, Windows Phone Store
Fake AV apps spotted on Google Play, Windows Phone Store

On 11 June, Kaspersky Lab blogger Roman Unuchek warned that a new ransomware variant of the Svpeng banking Trojan is currently targeting users in the UK, UK, Switzerland, Germany, India and Russia, while focusing its attacks mainly in the US.

It follows his announcement two days earlier that the ‘Pletor' Android ransomware was out in the wild and had infected more than 2,000 systems in 13 countries, mainly in the former USSR.

Meanwhile, on 4 and 9 June, researchers at ESET and Symantec confirmed the appearance of a third threat, the Simplocker file-encrypting ransomware, aimed at Russian-speaking Android device owners.

Researchers say this marks the first time that file-encrypting ransomware has appeared on the Android platform, whose vulnerability is increasingly attracting malware authors. Svpeng is also the first such ransomware attack on UK users, according to David Emm, senior security researcher at Kaspersky Lab.

He told SCMagazineUK.com by email: “It's the first time we've seen mobile ransomware targeting the UK specifically. Cybercriminals are increasingly targeting smartphones, eager to capitalise on the growing use of these devices for personal and business use – hence the exponential growth in mobile malware.”

Kaspersky was not able to confirm the number of UK infections at time of writing.

Svpeng is described as “typical ransomware” by Unuchek in his blog. But he warns it is likely to evolve to start stealing users' banking credentials as well.

Once it has been downloaded, Svpeng purports to scan the phone, and then flashes up a fake FBI message saying it has found pornographic content. It blocks the phone and demands a £118 payment to unblock it. It also displays a photo of the user taken by the phone's front camera.

“The creators of the Trojan accept MoneyPak vouchers for the ransom payments,” Unuchek said.

Svpeng currently blocks the whole mobile device but has the capability to simply encrypt user data.

It also checks whether the device has mobile apps from several major US banks and payment companies – including American Express, Citibank and Chase – and sends the result back to its command server.

This paves the way for Svpeng to go back to its original use, Unuchek said: “Considering that Svpeng is, first and foremost, a banking Trojan, we can expect to see attacks on the clients of these banks who use mobile apps to manage their accounts.”

Explaining why Svpeng and the other ransomware campaigns are targeting Android, Emm added: “Cybercriminals, like electricity, follow the path of least resistance – and that's Android currently. Google has taken an open, flexible approach – good for manufacturers, mobile networks and customers alike. But it also provides scope for cyber criminals to develop malicious apps.”

Dave Hartley, a principal consultant with UK-based cyber security firm MWR InfoSecurity, agreed that Android devices are so vulnerable that these “unsophisticated” ransomware campaigns are able to succeed.

He told SCMagazineUK.com: “MWR has sought to raise awareness of the fact that exploitable weaknesses and vulnerabilities exist in the latest and greatest offerings from Android mobile device manufacturers, which could be abused by sophisticated malware and/or motivated attackers to take full control of devices, without requiring user interaction.

“The current campaigns seem to be reasonably successful without having to try very hard at all. Should the manufacturers, vendors, OEMs etc not address the issues highlighted by researchers, in the future and as more users become savvy to the risks they face, we may see more sophisticated measures employed. They are not required as of now.”

Asked what users and security professionals can do to protect themselves, Hartley said: “By default, Google's Android will stop users installing applications other than those that have passed through their marketplace. This malware required the user to have accepted the risk of installing unverified software, meaning it's more difficult to become infected with this malware than on a desktop PC.

“So far, malware hasn't had to try very hard to get itself installed, because users aren't aware of the risks. The best protection is, as with desktops, to be aware of the risks, make good judgments when installing software and always review the requested permissions.”

Emm advised: “The key is to ensure that mobile devices are managed in the same way as other end points. This includes anti-malware protection, application control and backup of important data stored on the device.”

Figures from F-Secure in March show while the Android platform has 87 percent of the global smartphone market, it attracts 97 percent of all mobile malware.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...