'First Android ransomware' to target UK

News by Tim Ring

What's claimed to be the first Android mobile ransomware to hit UK users has been discovered as hackers race to target these devices - with three separate ransomware attacks being revealed in the last ten days.

On 11 June, Kaspersky Lab blogger Roman Unuchek warned that a new ransomware variant of the Svpeng banking Trojan is currently targeting users in the UK, UK, Switzerland, Germany, India and Russia, while focusing its attacks mainly in the US.

It follows his announcement two days earlier that the ‘Pletor' Android ransomware was out in the wild and had infected more than 2,000 systems in 13 countries, mainly in the former USSR.

Meanwhile, on 4 and 9 June, researchers at ESET and Symantec confirmed the appearance of a third threat, the Simplocker file-encrypting ransomware, aimed at Russian-speaking Android device owners.

Researchers say this marks the first time that file-encrypting ransomware has appeared on the Android platform, whose vulnerability is increasingly attracting malware authors. Svpeng is also the first such ransomware attack on UK users, according to David Emm, senior security researcher at Kaspersky Lab.

He told SCMagazineUK.com by email: “It's the first time we've seen mobile ransomware targeting the UK specifically. Cybercriminals are increasingly targeting smartphones, eager to capitalise on the growing use of these devices for personal and business use – hence the exponential growth in mobile malware.”

Kaspersky was not able to confirm the number of UK infections at time of writing.

Svpeng is described as “typical ransomware” by Unuchek in his blog. But he warns it is likely to evolve to start stealing users' banking credentials as well.

Once it has been downloaded, Svpeng purports to scan the phone, and then flashes up a fake FBI message saying it has found pornographic content. It blocks the phone and demands a £118 payment to unblock it. It also displays a photo of the user taken by the phone's front camera.

“The creators of the Trojan accept MoneyPak vouchers for the ransom payments,” Unuchek said.

Svpeng currently blocks the whole mobile device but has the capability to simply encrypt user data.

It also checks whether the device has mobile apps from several major US banks and payment companies – including American Express, Citibank and Chase – and sends the result back to its command server.

This paves the way for Svpeng to go back to its original use, Unuchek said: “Considering that Svpeng is, first and foremost, a banking Trojan, we can expect to see attacks on the clients of these banks who use mobile apps to manage their accounts.”

Explaining why Svpeng and the other ransomware campaigns are targeting Android, Emm added: “Cybercriminals, like electricity, follow the path of least resistance – and that's Android currently. Google has taken an open, flexible approach – good for manufacturers, mobile networks and customers alike. But it also provides scope for cyber criminals to develop malicious apps.”

Dave Hartley, a principal consultant with UK-based cyber security firm MWR InfoSecurity, agreed that Android devices are so vulnerable that these “unsophisticated” ransomware campaigns are able to succeed.

He told SCMagazineUK.com: “MWR has sought to raise awareness of the fact that exploitable weaknesses and vulnerabilities exist in the latest and greatest offerings from Android mobile device manufacturers, which could be abused by sophisticated malware and/or motivated attackers to take full control of devices, without requiring user interaction.

“The current campaigns seem to be reasonably successful without having to try very hard at all. Should the manufacturers, vendors, OEMs etc not address the issues highlighted by researchers, in the future and as more users become savvy to the risks they face, we may see more sophisticated measures employed. They are not required as of now.”

Asked what users and security professionals can do to protect themselves, Hartley said: “By default, Google's Android will stop users installing applications other than those that have passed through their marketplace. This malware required the user to have accepted the risk of installing unverified software, meaning it's more difficult to become infected with this malware than on a desktop PC.

“So far, malware hasn't had to try very hard to get itself installed, because users aren't aware of the risks. The best protection is, as with desktops, to be aware of the risks, make good judgments when installing software and always review the requested permissions.”

Emm advised: “The key is to ensure that mobile devices are managed in the same way as other end points. This includes anti-malware protection, application control and backup of important data stored on the device.”

Figures from F-Secure in March show while the Android platform has 87 percent of the global smartphone market, it attracts 97 percent of all mobile malware.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews