Cybersecurity researchers have discovered a new strain of Android ransomware that is reportedly able to evade all antivirus programs tested on it, making it an alarming threat to those who are vulnerable.
Detected by the Zscaler ThreatLabZ team, this ransomware targets Russian speakers, and is not equipped with any decryption functionality. This means that even if a payment is made, the device will still stay locked.
While the threat is distributed using third-party app stores, the cybercriminals are smart enough to entice users to download it. They will identify a popular app on the Google Play Store, clone it, and disassemble it. Soon after, they will alter the apps' behavior by modifying its programming, and inject their own malicious code. Once the app has been repackaged, it will be sent to the third-party app store.
The ingenuity of the cybercrooks doesn't end there , however; as soon as victims install the fake app, it will wait four hours before it launches its modus operandi. When the time is right, It starts to ask the user to grant it administrator rights, which include automatically changing the lock screen password, monitor screen-lock attempts, auto-lock the screen, and set the lock screen password expiration. The user can't easily dismiss the request, however, as doing so will only make the pop-up return, until the victim agrees to grant it access.
Once the app has been given admin rights, it will display a lock screen, saying that they have to pay 500 Russian Rubles (equal to around $9). It even threatens the user by saying that if they don't pay up, the app will send a message to all their contacts, and say that they are watching illegal adult content.
There's no evidence that the app can do this, fortunately. ZScaler researchers say that in analysis of the ransomware's source code, it had no such abilities, and that it cannot detect whether a victim has already paid up.
To remove the ransomware, a user must boot Android into Safe Mode, remove the app's administrator rights, and proceed to uninstalling it for good.
Gaurav Shinde of ZScaler explains how the malware manages to bypass antivirus software:
Most AV programs execute samples for a few seconds or minutes to detect malicious behavior performed by the app. In this case, the malware doesn’t show its presence until four hours have passed. This way, the malware author dodges the dynamic analysis by antivirus systems.
While this specific malware is only targets a small area, it's best to remember to download apps only from the official stores, and to stay away from installing individual APK files whenever possible. Android ransomware attacks have grown by 50% in the past year, with this trend seemingly poised to continue in the near future.