Emails containing a variant of popular Android ransomware are being sent to thousands of mobile users in English-speaking countries as part of a spam campaign recently identified by researchers with Bitdefender.
In a three-day span, Bitdefender detected roughly 15,000 spam emails originating from servers in Ukraine. The emails contain an APK file that purports to be an Adobe Flash Player update, but is actually ransomware detected as Android.Trojan.SLocker.DZ.
Upon downloading and running the file, an FBI warning pops up on the screen that tells the user they broke the law by visiting pornographic websites, and explains that the device will remain locked up until a $500 fine is paid.
Ultimately, the ransomware creates an activity that cannot be overwritten, Bogdan Botezatu, senior e-threat analyst with Bitdefender, told SCMagazine.com in a Tuesday email correspondence. He said that the malware disables the home and navigation keys so the user cannot leave the ransom screen, and added that it will run when the system boots, meaning restarting the device will not help.
“This approach is extremely effective, apparently, because it succeeds in denying the user access to the device,” Botezatu said. “Unlike file-encrypting Android ransomware, this type of malware requires less permissions – [primarily,] it does not need device administrator permissions – [making] its installation much less suspicious.”
Botezatu noted that attempting to bruteforce the code to unlock the device will result in the ransom being upped to $1,500.
“After infection, the user is presented with a web form that prompts the user to enter a valid MoneyPak voucher code,” Botezatu said. “This voucher number is linked with a device ID and is reported to a central server. If the user enters too many invalid codes, the amount of money they have to pay triples.”
Fortunately, unlocking an infected device without paying is possible.
Botezatu said that a user can boot their device in safe mode, navigate to the application manager, remove the offending application, and boot up their phone again normally. Additionally, users can disable or uninstall the malware by issuing a command from their PC so long as Android Debug Bridge is enabled on the device.
Bitdefender observed the largest number of infected users in the U.S.