Sometimes it seems like ransomware is creeping into every part of our lives. Even our phones aren’t safe now; Android ransomware has been around for some time, but there are signs that it is getting worse. Most of the ransomware attacks making headlines strike large organizations; hospitals, government agencies, or major corporations. This makes sense— these organizations have lots of cash, and can’t afford serious downtime. Another trend is on the rise, however— android ransomware.
The first serious wave of ransomware was much smaller scale, on average, and used the “spray and pray” approach. This approach involves sending out millions of junk emails with malicious links or attachments, and hoping that a few people are foolish enough to open them.
More recently, there has been a shift towards “big game hunting” which typically employs increasingly sophisticated spear phishing attacks to break into private networks. With this trend, the average ransom amount has increased considerably.
There are still a number of ransomware strains targeting individuals, however. There has also been a shift in the last year towards targeted attacks on high net worth individuals. In particular, high net worth individuals or families with a large number of connected devices are an attractive target for hackers.
How does Android Ransomware Work?
Android ransomware is often very similar to ransomware on PCs or servers, with a few important differences. Some variants encrypt files like ordinary ransomware, but most variants exploit features that make it impossible to use your phone.
This is accomplished by taking advantage of a feature called SYSTEM_ALERT_WINDOW. This window is usually used for displaying system alerts (surprise!). It overrides all the other features on your phone so that no matter what you do, the window with the ransom note stays on top of everything.
Other variants, including MailLocker, exploit the call notification feature. This is the program that lets you know when you are receiving a call so that you can answer. This is combined with triggering the onUserLeaveHint() function in order to achieve a similar effect as the SYSTEM_ALERT_WINDOW hack.
Newer versions of Android ransomware are becoming increasingly sophisticated. Some versions were recently observed with machine learning modules that customize attacks for individual devices. These features have not been observed in the wild, but the fact that they are included in the code of ransomware viruses is a sign that hackers may be targeting more Android users in the future.
Types of Android Ransomware Scams
One of the most common tricks used by mobile ransomware is to style the ransom note so that it looks like a notification from local police. It tells the user that they’ve committed a crime, most often that they have viewed illegal content, and that their user logs are in the custody of law enforcement. It then demands that victimes pay a fine. Some strains of ransomware make these claims more convincing by collecting personal information from the device and then including it in the fraudulent ransom note.
Always remember, police will never ask you to pay a fine with Bitcoin!
Another scam appeared during the COVID-19 pandemic. An app pretending to be a COVID tracking app called COVID19 tracker locks down users phones when they download it. It attracts users with the enticing promise of telling you how many COVID cases are in your area. After you download it, it locks down your phone and displays the ransom note. It typically demands $100 worth of Bitcoin, and threatens to leak the users social media information if they don’t pay.
Can Android Ransomware Transfer from your phone to your PC?
Most of the ransomware observed on mobile devices so far does not have advanced capabilities. The attacks are usually automated and are going after small ransom amounts. Most people don’t connect their phones to their PCs that often, so it’s not really worth it for attackers to build in code for spreading from a phone to a PC.
How to Protect Yourself
The vast majority of Android ransomware comes from infected APKs. Believe it or not, many infected apps are available in the Google Play store. Google is working hard to remedy this problem— they have deleted dozens of malicious apps over the last year.
It’s worth checking periodically to see which apps carry malware or ransomware. This is a good practice for other reasons as well. Ransomware is especially dangerous, but there are many other forms of more benign but still scary malware. Many strains of malware are known to steal and sell user data.
The same security tips that apply on any device can help protect against Android ransomware.
- Stay up to date with all updates and patches.
- Install a good mobile security app (Bitdefender and Norton are both excellent).
- Take care to only download apps and APKs from well known, trusted sites.
- Check what permissions an app requests. For example, a personal fitness app doesn’t need access to your call logs. If an app asks for permissions that don’t make sense, consider deleting it— especially if it came from an unknown source.
- Backup your data. Although most Android ransomware does not encrypt data, you might run into a strain that does. Keeping a secure backup can prevent you from needing to pay a ransom.
If you follow these simple tips, you probably won’t need to worry about ransomware on your phone.
If this type of ransomware does hit you, it will probably not encrypt your files.That means you can simply save all your critical files on a PC, and then do a factory reset. However, you may want to use a virtual machine in the process to make sure you don’t open an avenue for the ransomware to spread to your PC.
BeforeCrypt typically deals with larger enterprise cases, and most Android ransomware cases are relatively small, so we don’t usually get involved. However, if for some reason you fall victim to a more complex attack or have sensitive data on your phone, you are welcome to call us for a free consultation. Stay safe!