Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Ransomware Employs Advanced Evasion Techniques

A newly discovered Android ransomware family employs heavy obfuscation and delayed activation of malicious functionality to ensure it can evade anti-virus solutions, Zscaler security researchers warn.

A newly discovered Android ransomware family employs heavy obfuscation and delayed activation of malicious functionality to ensure it can evade anti-virus solutions, Zscaler security researchers warn.

The malware was found hidden inside the repackaged Russian entertainment social network app OK, which the malware author disassembled to insert malicious code, researchers say. The good news, however, is that the legitimate variant of OK, which has over 50 million downloads in Google Play, hasn’t been compromised.

The first evasion technique leveraged by the mobile threat involves kicking off the malicious activity four hours after the initial installation. Most detection mechanisms expect malware to immediately start operation, meaning that this ransomware won’t be immediately detected.

After the four hours have passed, however, users are prompted to activate device administrator rights for the application. Users can’t dismiss the activation screen and clicking the “Cancel” button won’t help either, because the screen is immediately re-displayed until admin rights are enabled, the security researchers reveal.

As soon as this happens, the malicious app locks the device’s screen and displays a ransom note, informing users that their data has been encrypted and sent to the attacker’s servers. Users are urged to pay a 500 Rubles ransom to restore data and unlock the device. The attackers also attempt to scare users into paying by claiming that they would send a message to all of the victim’s contacts to inform them that the device has been “blocked for viewing child pornography.”

According to Zscaler, however, the malware does not exfiltrate any of the victims’ data, and it has no means of unlocking the compromised device. Although the rasnomware does inform the command and control (C&C) server of the new victim, it has no mechanism to confirm that the ransom was paid, meaning that the device remains locked regardless of victim’s willingness to pay or not.

In addition to the delayed start of malicious activities, the ransomware’s malicious code is highly obfuscated. “Almost all strings, method names, variable names, and class names are disguised in such a way that it’s extremely difficult to understand the code. Most of these methods are invoked using Java reflection technique, which allows the author to evade static analysis detection,” Zscaler says.

To stay protected from this threat, users are advised to avoid installing applications from third-party app stores. Those who were already infected should reboot the device in Safe Mode, remove the application’s admin rights, then uninstall it and reboot the device in normal mode.

Advertisement. Scroll to continue reading.

Based on the use of advanced stealth tactics in this ransomware, Zscaler says that the malware author could be able to successfully upload its creation to the Google Play application storefront, although they haven’t so far.

Related: Charger Android Ransomware Infects Apps on Google Play

Related: Updated Tordow Android Malware Gets Ransomware Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.