Android ransomware spreads further, with new methods in its toolbox

Next story

Ransomware seems to have maintained its attractiveness amongst cybercriminals, steadily growing on multiple platforms – including mobile since 2014. Android users have been targeted by various types of this extorting malware, most frequently by the police ransomware, trying to scare victims into paying up after (falsely) accusing them of harvesting illegal content on their devices.

The most popular attack vector used by cybercrooks has remained unchanged since the beginning of the “ransomware epidemic”. That is the misuse of unofficial markets and forums to spread their preferred family or variant of malicious code.

But 2016 also brought cases where cybercriminals added other, more sophisticated methods to their toolboxes. Attackers tried to bury malicious payloads deeper into applications. To achieve this, they encrypted them, then moved them to the assets folder, which is typically used for pictures or other contents necessary for the app. The apps however, seemingly had no real functionality on the outside, but on the inside, there was a decryptor able to both decrypt and run the ransomware.

ESET experts have also documented Android ransomware spreading via email. Attackers used social engineering to manipulate victims into clicking on a malicious link in the message and directed them to an infected Android application package (APK).

Another interesting development observed this year has been the growing focus of Jisut ransomware operators on Chinese markets, using a localized Chinese ransom message.

If you'd like to know more about recent developments in Android ransomware, do stop by ESET booth E05 in Hall W2 at Mobile World Congress in Shanghai from 28-30th June 2017.