Researchers have spotted a new strain of Android ransomware that could evade detection on all mobile antivirus engines at the time of its discovery.
Currently targeting Russian-speaking users, this ransomware lacks basic decryption functionality. This means that users infected with this ransomware version cannot unlock their phones and regain access to their data, even if they pay the ransom.
According to mobile cyber-security firm Zscaler, who first spotted the infections, the crooks behind this threat are using third-party stores to spread their payload.
Their mode of operation is quite simple and has been copied from other malware operators that came before. Crooks identify a popular app on the Play Store, clone, and disassemble it.
They then alter its normal behavior and insert the ransomware payload in its code. Finally, crooks obfuscate the code with advanced algorithms and repackage the app, uploading it to a third-party store.
When users install it, thinking it was a legitimate application, the malicious app waits four hours before blasting the user with popups that ask him for administrator rights. The popups are un-dismissable, as they pop up over and over again until the app gets what it wants.
Once the app has admin rights, it locks the user's screen with the message below, telling users they have to pay 500 Russian rubles (around $8-$10).
To convince users to pay, the ransom note threatens to send an SMS message to all their contacts, and tell friends the victim was caught watching illegal adult materials.
Zscaler researchers say that an analysis of the ransomware's source code did not reveal any functions that checked if the user paid the ransom, let alone send SMS messages to all friends. Researcher Nyxbone believes this is a version of the SLocker Android ransomware.
In the case users get infected with this new ransomware strain, researchers advise booting the device in Safe Mode, removing the Device administrator account and the app.
Researchers believe the app managed to evade static analysis antivirus solutions because it used very obfuscated code, but also because it employed a Java reflection technique to run its code.
Because the app used a 4-hour delayed execution timer, it also evaded security solutions that relied on dynamic analysis, who usually install and interact with an app for up to a few minutes.
"Considering the stealth tactics designed into this sample, it wouldn't be difficult to imagine the author successfully uploading this ransomware to the Google Play Store," said Gaurav Shinde, Zscaler analyst.
In a blog post published yesterday, Google said that one in 10,000,000 app installs from the Play Store are labeled as ransomware infections, while one in 10,000 app installs from untrusted sources like third-party stores deliver ransomware strains.