After two months of quietude, the Android ransomware SLocker commenced a new feeding frenzy late last year, introducing over 400 new subvariants into the wild from December 2016 through February 2017, mobile services provider Wandera has reported.
“These strains are targeting businesses’ mobile fleets through easily accessible third party app stores and websites where rigorous security checks go by the wayside,” Wandera stated in a blog post on Wednesday.
Wandera found that these newer samples were more sophisticated than those detected during the polymorphic ransomware’s peak activity last year between June and October 2016, before SLocker campaigns tapered off significantly. These latest subvariants have altered icons, package names, resources and executable files in order to avoid signature-based detection, as well as employed obfuscation and encrypted strings, the blog post explains.
In one case, for instance, SLocker’s app icon was changed from a red circle to an image of Iron Man. “There are others masquerading as health apps, podcast players and jailbreak apps that are finding ways to avoid detection,” said Covington, who suspects the pause in SLocker activity taking place from October through December 2016 was likely the result of security solutions initially catching up to the threat, before it recently evolved.
According to Covington, the basic functionality is essentially the same among the hundreds of new subvariants found; however, each is packaged “using different techniques and with slight changes to the underlying code.” Covington also noted various differences in end user-facing text, including improvements in grammar and regional variations.
SLocker also made news recently for being found pre-installed on the Android devices of two large technology companies, along with the malicious adware and information stealer Loki.