Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Ransomware Uses Dropper to Increase Effectiveness

The use of droppers to infect devices with ransomware has spread to Android, Symantec security researchers warn.

The use of droppers to infect devices with ransomware has spread to Android, Symantec security researchers warn.

The use of a dropper to deliver malware on Android is a new technique, although it is a very popular one when it comes to malware for desktop computers. Furthermore, researchers say, the actors using it have also implemented a 2D barcode technique meant to help them receive payment from victims, but they did this ineffectively.

Spotted about a year ago, the Lockdroid ransomware was designed to encrypt user files and perform other nefarious activities as well. It requests device admin rights and, if the user grants them, it can also lock devices, prevent the user from uninstalling it using the user interface (UI) or the command line interface, and can even force factory resets, thus erasing all user data from the device.

The malware designed to drop the Android.Lockdroid.E ransomware is being distributed via third-party apps, but also through text messages and forum posts. The malware first attempts to drop a version of itself only onto rooted devices, or locks those devices that haven’t been rooted, Symantec discovered.

Once installed on a device, the malicious app checks to see whether the device has been rooted and requests root access permissions if it has. The malware claims that this would allow it to access thousands of adult movies for free, in an effort to convince potential victims of the necessity of these permissions.

Once the user agrees, the malware drops a copy of itself onto the device, by remounting the /system partition, copying the embedded APK file for Android.Lockdroid.E to /system/app/[THREAT NAME].apk, changing the dropped APK file’s permission to executable, and rebooting the device so the threat can run on boot completed as a system application.

After the reboot, the threat is difficult to uninstall from the infected devices, because it has become a system application. After the installation process has been completed, Android.Lockdroid.E locks the device and displays the ransom screen and 2D barcode.

On unrooted devices, the ransomware immediately locks the device and displays the ransom screen and barcode. In such cases, however, the malware does not drop anything onto the compromised device. According to Symantec, the ransom demanded by this Trojan is rather difficult to pay.

Advertisement. Scroll to continue reading.

“The instructions ask the user to scan the barcode to log in to a messaging app to pay the ransom. While this may seem like a good idea to have victims pay the ransom for their device, it is ineffective in practice. There is no way to scan the barcode or log in to the messaging app from the compromised device, so the barcode must be scanned from a second device. This makes it more difficult for the victim to pay their ransom and for the attacker to receive payment,” the security researchers say.

Related: Android Malware Improves Resilience

Related: Tordow Android Trojan Gets Root Privileges for New Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.