Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Ransomware Employs Advanced Evasion Techniques

A newly discovered Android ransomware family employs heavy obfuscation and delayed activation of malicious functionality to ensure it can evade anti-virus solutions, Zscaler security researchers warn.

A newly discovered Android ransomware family employs heavy obfuscation and delayed activation of malicious functionality to ensure it can evade anti-virus solutions, Zscaler security researchers warn.

The malware was found hidden inside the repackaged Russian entertainment social network app OK, which the malware author disassembled to insert malicious code, researchers say. The good news, however, is that the legitimate variant of OK, which has over 50 million downloads in Google Play, hasn’t been compromised.

The first evasion technique leveraged by the mobile threat involves kicking off the malicious activity four hours after the initial installation. Most detection mechanisms expect malware to immediately start operation, meaning that this ransomware won’t be immediately detected.

After the four hours have passed, however, users are prompted to activate device administrator rights for the application. Users can’t dismiss the activation screen and clicking the “Cancel” button won’t help either, because the screen is immediately re-displayed until admin rights are enabled, the security researchers reveal.

As soon as this happens, the malicious app locks the device’s screen and displays a ransom note, informing users that their data has been encrypted and sent to the attacker’s servers. Users are urged to pay a 500 Rubles ransom to restore data and unlock the device. The attackers also attempt to scare users into paying by claiming that they would send a message to all of the victim’s contacts to inform them that the device has been “blocked for viewing child pornography.”

According to Zscaler, however, the malware does not exfiltrate any of the victims’ data, and it has no means of unlocking the compromised device. Although the rasnomware does inform the command and control (C&C) server of the new victim, it has no mechanism to confirm that the ransom was paid, meaning that the device remains locked regardless of victim’s willingness to pay or not.

In addition to the delayed start of malicious activities, the ransomware’s malicious code is highly obfuscated. “Almost all strings, method names, variable names, and class names are disguised in such a way that it’s extremely difficult to understand the code. Most of these methods are invoked using Java reflection technique, which allows the author to evade static analysis detection,” Zscaler says.

To stay protected from this threat, users are advised to avoid installing applications from third-party app stores. Those who were already infected should reboot the device in Safe Mode, remove the application’s admin rights, then uninstall it and reboot the device in normal mode.

Based on the use of advanced stealth tactics in this ransomware, Zscaler says that the malware author could be able to successfully upload its creation to the Google Play application storefront, although they haven’t so far.

Related: Charger Android Ransomware Infects Apps on Google Play

Related: Updated Tordow Android Malware Gets Ransomware Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...