2016 Rise of Android Ransomware

Next story

Ransomware is a growing problem for users of mobile devices. Lockscreen types and file-encrypting “crypto-ransomware”, both of which have been causing major financial and data losses for many years, have made their way to the Android platform.

Like other types of Android malware – SMS trojans, for example – ransomware threats have been evolving over the past few years and malware writers have been adopting many of the same techniques that have proven to be effective in regular desktop malware.

Both on Windows and on Android, lock-screens are nowadays usually of the “police ransomware” kind, trying to scare the victims into paying up after (falsely) accusing them of harvesting illegal content on their devices. Likewise, as with the infamous Windows Cryptolocker ransomware family, crypto-ransomware on Android started using strong cryptography, which meant that affected users had no practical way of regaining the hijacked files. And because everyday data, such as photos, for example, are now kept on smartphones rather than PCs by so many people, the threat of losing this data is now greater than ever.

One interesting observation that we have made is that the attackers’ center of focus is no longer only Eastern European countries. A number of recent families, such as Android/Simplocker and Android/Lockerpin, for example, have been targeting victims mostly in the USA.

In the first part of the paper, we provide a definition of ransomware, take a look at ESET’s detection telemetry to see how widespread the threat is, and analyze malware specifics that apply to ransomware on Android. The main section details the most noteworthy Android ransomware examples from the past three years. Finally, we give take home messages and advice for Android users. Read more here.