Android ransomware in 2017

The number of ransomware infections on Android devices has gone down in 2017, according to an end-of-year report published by ESET last week.

Android ransomware numbers have been on a general decline since April 2016, when such infections reached their peak.

Nonetheless, mobile ransomware's decline in 2017 is somewhat of an oddity on the Android malware scene, where overall malware detections were at an all-time high, and when desktop ransomware was by far 2017's top cybercrime trend.

Researchers have not been able to pin the decline on any specific reasons, and the new security features introduced in the Android OS don't seem to have played a role, especially since very few users are running the latest security-hardened Android OS distributions.

DoubleLocker was 2017's most prominent new player

Overall, the Android ransomware scene has been the same in 2017 as in the previous year. Screen lockers (ransomware that shows a message over the screen preventing access to other apps), PIN lockers (ransomware that locks the screen with a special PIN), and crypto-ransomware (that encrypts files) have continued to make victims, with very few "technical innovations."

While old players like the Charger, Lockerpin, and Simplelocker families have continued to wreak havoc, especially on the Chinese market, ESET has also seen new strains.

The most important has been the DoubleLocker family, a new ransomware strain spotted last October. DoubleLocker sealed its place in the history of Android malware by becoming the first Android ransomware strain that (ab)used the Accessibility service to gain admin rights and infect users.

The trend of using the Android Accessibility service has been a favorite of Android banking trojans for years, and it was no surprise that ESET found it in DoubleLocker, a ransomware strain they said appears to have its roots in the Svpeng Android banking trojan.

But DoubleLocker wasn't the only ransomware strain that evolved from an old Android banking trojan. In late November, SfyLabs researchers found a new version of the LokiBot Android trojan that transformed into ransomware when victims tried to remove it from their devices.

Android ransomware detections spiked towards end of 2017

These late releases of DoubleLocker and LokiBot are also the reason why ESET believes Android ransomware detections will regain the ground they lost in 2017, researchers noting a small bump in detections towards the end of the year.

The good news is that despite many Android banking trojans reaching the Play Store this past year over and over again, only one ransomware strain made it on the official store in what appeared to be an isolated incident.

ESET's 2017 Android ransomware report is available in PDF format here. Our readers can also read our coverage of ESET's 2016 end-of-year report here.

Related Articles:

Android App Devs Find Clever Trick for Fooling Users Into Installing Their Crapware

New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware

Tens of Thousands of Android Devices Are Exposing Their Debug Port

New SamSam Variant Requires Special Password Before Infection

Google Updates File Signature Checks for Android Apps