The use of droppers to infect devices with ransomware has spread to Android, Symantec security researchers warn.
The use of a dropper to deliver malware on Android is a new technique, although it is a very popular one when it comes to malware for desktop computers. Furthermore, researchers say, the actors using it have also implemented a 2D barcode technique meant to help them receive payment from victims, but they did this ineffectively.
Spotted about a year ago, the Lockdroid ransomware was designed to encrypt user files and perform other nefarious activities as well. It requests device admin rights and, if the user grants them, it can also lock devices, prevent the user from uninstalling it using the user interface (UI) or the command line interface, and can even force factory resets, thus erasing all user data from the device.
The malware designed to drop the Android.Lockdroid.E ransomware is being distributed via third-party apps, but also through text messages and forum posts. The malware first attempts to drop a version of itself only onto rooted devices, or locks those devices that haven’t been rooted, Symantec discovered.
Once installed on a device, the malicious app checks to see whether the device has been rooted and requests root access permissions if it has. The malware claims that this would allow it to access thousands of adult movies for free, in an effort to convince potential victims of the necessity of these permissions.
Once the user agrees, the malware drops a copy of itself onto the device, by remounting the /system partition, copying the embedded APK file for Android.Lockdroid.E to /system/app/[THREAT NAME].apk, changing the dropped APK file’s permission to executable, and rebooting the device so the threat can run on boot completed as a system application.
After the reboot, the threat is difficult to uninstall from the infected devices, because it has become a system application. After the installation process has been completed, Android.Lockdroid.E locks the device and displays the ransom screen and 2D barcode.
On unrooted devices, the ransomware immediately locks the device and displays the ransom screen and barcode. In such cases, however, the malware does not drop anything onto the compromised device. According to Symantec, the ransom demanded by this Trojan is rather difficult to pay.
“The instructions ask the user to scan the barcode to log in to a messaging app to pay the ransom. While this may seem like a good idea to have victims pay the ransom for their device, it is ineffective in practice. There is no way to scan the barcode or log in to the messaging app from the compromised device, so the barcode must be scanned from a second device. This makes it more difficult for the victim to pay their ransom and for the attacker to receive payment,” the security researchers say.
Related: Android Malware Improves Resilience
Related: Tordow Android Trojan Gets Root Privileges for New Attacks