Android Ransomware Gets Smarter, Evades AV Detection

Android Ransomware Gets Smarter, Evades AV Detection

New Android ransomware has been discovered, and apparently no mobile antivirus program has been able to detect it. The ransomware was discovered in a popular app called “OK”, a Russian-based entertainment social network app available in Google Play store. Interestingly, the app in this official store is completely clean and app has between 50 and 100 million installations. The app in third party app stores, however, is not.

Related: The First Mobile Doxware Ransomware App for Android

Zscaler researchers say that the Android malware stays silent for the first four hours after installation, thus enabling the original app to operate without interruptions. This method allows the ransomware to bypass detection by AV engines. Once the four hours are over, users will be shown a prompt to add a device admin. This allows the app to change the screen unlock password, monitor screen-unlock attempts, lock the screen and set lock-screen password expiration.

Unfortunately, pressing the Cancel button doesn’t help as the prompt quickly reappears, thus preventing user from any action, uninstalling the app inclusive. Furthermore, by pressing the Activate button the screen gets locked and a full-screen ransom note is displayed.

The researchers analyzed the ransomware to make sure whether it sends the victim’s data to a server. They didn’t find any personal data leak as claimed in the ransom’s note. In addition, the ransomware turned out incapable of unlocking the user’s phone.

Regardless of whether the user transfers the requested ransom amount to the attacker’s e-wallet, the ransomware will not stop operating. As soon as phone screen is locked, the malware will notify its Command & Control (C&C) server about the new victim. Interestingly, there is no functionality present in the malware to confirm whether the user has paid the ransom or not and it, therefore, continues to operate.

How Does the Ransomware Evade AV Detection?

After the researchers analyzed how clean apps such as the Russian OK app became infected, they realized that the threat author has created an automated method for infecting multiple apps through the same method.

Shortly said, most AV engines execute samples for a few seconds or minutes to detect malicious behavior associated with an app. In this case, the ransomware didn’t show its presence for four hours. This way, the malware author evaded the dynamic analysis by antivirus systems. “Considering the stealth tactics designed into this sample, it wouldn’t be difficult to imagine the author successfully uploading this ransomware to the Google Play Store”, researchers add.

Related: Android App Permissions and Your (Phone’s) Privacy

Mitigation

Infected users should boot their devices into Safe Mode, this way disabling third-party applications. Then they should remove the device admin privilege of the infected app, uninstall the app and re-boot the device back to normal mode.

Security tip: To minimize the risk of such infections, go to Security settings/Device administration and de-select “Unknown sources.”

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.