In association with heise online

26 June 2013, 17:24

Ransomware locks Android smartphones

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Android Defender
Zoom Android Defender displays this icon after installation
Source: Symantec
The threat posed by malware disguised as anti-virus software which locks the desktop and tries to extort money to unlock it has now spread to Android smartphones. Away from the Google Play Store, Symantec has discovered one such piece of malware which, like the BKA trojan, uses pornographic content to extort money from users. The malware embeds itself deep in the system and doesn't stop annoying the user even after the ransom has been paid. Such malware has earned itself the name of ransomware on the desktop.

The Android ransomware markets itself as "Free Calls Update". Once installed, users find themselves confronted with a "trial version" of Android Defender (see video). The software suffers from compatibility problems with some devices, but if it finds itself on a compatible phone, it launches straight into its con.

Activate device administrator?
Zoom The malware would like to escalate its privileges
Source: Symantec
First the app tries to register as a device administrator – effectively to escalate its privileges. If it succeeds, removing the malware becomes a very difficult prospect. If the user declines to allow it to register, Android Defender has a few tricks up its sleeve. It conceals its actions as well as it is able and appears to make contact with its operator. In the foreground it makes a show of carrying out a system scan, while in the background it silently establishes an internet connection. As part of its concealment it removes its APK installation file to prevent discovery by genuine anti-virus software.

Remove all threats?
Zoom Remove all threats?
Source: Symantec
Following the sham system scan, Android Defender reports multiple threats, for which it picks out genuine directory names. The user is then offered the choice of buying the full version and resolving the threats or of ignoring them.

Trial version
Zoom The full version does not protect users from annoying pop-ups, but does protect them from porn-based extortion.
Source: Symantec
If the user persists in declining to buy the full version, the malware digs deeper into its box of tricks. Like the BKA trojan, it responds to this persistent rejection by locking the device. The program claims that malware has attempted to steal pornographic content located on the smartphone. If the user ignores this warning, it becomes impossible to launch any other app – Android Defender blocks all services on the smartphone. Should a user give in to the first request for payment, the smartphone is spared being locked, but it continues to display annoying pop-ups.

Purchase Android Defender
Zoom The full version is not exactly cheap
Source: Symantec
According to Symantec, potential victims benefit from the fact that the malware suffers from compatibility problems, as a result of which it tends to crash the phone. This allows users to remove the malware if caught early enough. If Android Defender has already made itself at home as a device administrator, often the only remedy is to reinstall the operating system from scratch.

As is often the case, the malware does not lurk Google Play, but can be found in alternative sources such as app catalogues, forums or file-sharing applications. To install apps from non-trusted sources, users have to activate what's known as sideloading. Users who only install apps from Google Play have little to fear.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit