Android ransomware

Android apps spreading ransomware aren't as common as most users and security experts think, says Jason Woloz, Sr. Program Manager for Android Security at Google.

The mobile security guru cites internal Google statistics, revealing that since 2015, less than 0.00001% (one in 10,000,000) app installations from the Google Play Store delivered apps that could be categorized as ransomware.

For apps installed from outside the Play Store, which Google can track via Android's built-in Verify Apps service, the number is much higher, as expected, with less than 0.01% (one in 10,000) app installations.

There is no surprise here, as most malware gangs these days use third-party shops to spread malicious apps, as very few have the technical skills to code Android malware capable of evading Google's Bouncer app scanning service.

Woloz brazenly says that Android users are more likely to get struck by lightning twice in their lifetime rather than install ransomware on their devices. While mathematically and factually correct, your reporter doesn't agree with statement, mainly because it lowers user awareness levels and trivializes the act of carelessly installing ransomware to a mere accident, when it's not.

Google should be telling users to install apps only from the official Play Store and ask them to closely review the permissions they give to apps.

Better Android defences led to fewer ransomware infections

For its part, Google has worked hard on improving the Android security model, doing whatever it could to reduce the attack surface often exploited by various Android malware strains.

Android 7.0 Nougat, released last year, has added a few features that very few Android malware families have managed to bypass.

For starters, Google restricted access to Device Admin APIs, so apps won't be able to programmatically change exisiting passwords/PINs. If the user set up a PIN before the installation of a malicious app (ransomware), that app can't change the exisiting PIN, even if it has the proper permissions.

Second, Android devs have ported the seccomp Linux sandboxing feature, meaning apps can't take a peek inside other apps, and launch an attack based on predetermined triggers.

Third, Google changed how the SYSTEM_ALERT_WINDOW function works, stopping so-called "permission clickjacing" attacks, which happen when a malicious app draws a fake screen over system dialogs (like the ones asking for permissions) and tricks users into giving ransomware or other malware the permissions they need to work.

If by any chance you still manage to infect your Android device with ransomware, Google advises booting the device in safe mode and attempting to remove the app, perfoming a factory reset (hard reset), or flashing the device (reinstalling the Android OS). For this last step, it's often recommended that users perform regular backups, so they can restore data they might lose during a reflash. Booting in safe mode or performing factory resets is usually different based on the device model. Instructions for each operation can be found online.

Image copyright: Google