New Android ransomware has been discovered, and apparently no mobile antivirus program has been able to detect it. The ransomware was discovered in a popular app called “OK”, a Russian-based entertainment social network app available in Google Play store. Interestingly, the app in this official store is completely clean and app has between 50 and 100 million installations. The app in third party app stores, however, is not.
Zscaler researchers say that the Android malware stays silent for the first four hours after installation, thus enabling the original app to operate without interruptions. This method allows the ransomware to bypass detection by AV engines. Once the four hours are over, users will be shown a prompt to add a device admin. This allows the app to change the screen unlock password, monitor screen-unlock attempts, lock the screen and set lock-screen password expiration.
Unfortunately, pressing the Cancel button doesn’t help as the prompt quickly reappears, thus preventing user from any action, uninstalling the app inclusive. Furthermore, by pressing the Activate button the screen gets locked and a full-screen ransom note is displayed.
The researchers analyzed the ransomware to make sure whether it sends the victim’s data to a server. They didn’t find any personal data leak as claimed in the ransom’s note. In addition, the ransomware turned out incapable of unlocking the user’s phone.
Regardless of whether the user transfers the requested ransom amount to the attacker’s e-wallet, the ransomware will not stop operating. As soon as phone screen is locked, the malware will notify its Command & Control (C&C) server about the new victim. Interestingly, there is no functionality present in the malware to confirm whether the user has paid the ransom or not and it, therefore, continues to operate.
How Does the Ransomware Evade AV Detection?
After the researchers analyzed how clean apps such as the Russian OK app became infected, they realized that the threat author has created an automated method for infecting multiple apps through the same method.
Shortly said, most AV engines execute samples for a few seconds or minutes to detect malicious behavior associated with an app. In this case, the ransomware didn’t show its presence for four hours. This way, the malware author evaded the dynamic analysis by antivirus systems. “Considering the stealth tactics designed into this sample, it wouldn’t be difficult to imagine the author successfully uploading this ransomware to the Google Play Store”, researchers add.
Infected users should boot their devices into Safe Mode, this way disabling third-party applications. Then they should remove the device admin privilege of the infected app, uninstall the app and re-boot the device back to normal mode.
Security tip: To minimize the risk of such infections, go to Security settings/Device administration and de-select “Unknown sources.”