Scammers are busily working out the kinks in a rogue anti-virus application designed to target Android users – a threat that marks the criminal underground's first attempt to spread mobile ransomware, according to researchers.
Security firm Symantec recently detected an Android trojan dubbed Fake Defender, which is capable of locking users' devices. In a worst-case scenario, it also can require users to perform a hard reset to eradicate the malware.
In a Friday blog post, Joji Hamada, a researcher at Symantec, said users should be able to perform a “simple uninstall” of the app, called Android Defender by its purveyors. But that option exists only because of existing bugs that the app's creators are trying to work out.
Right now the threat is minimal. Since the malware was detected on June 2, the Fake Defender trojan has infected fewer than 50 devices, according to Symantec's research. But it signals the rising tide of threats traditionally segregated in the PC market making their way into the mobile realm.
The app acts the same way that rogue anti-virus software installed on desktops and laptops would. Users are made to believe their device is infected with viruses, and to remove the issue, they must pay money – in this case $100 over a year – to remove the nonexistent malware.
After victims install the malicious app, there will be no relief from the notifications, since the alerts can continue even if they don't agree to pay the money.
Symantec posted a video of how the malware works.
Vikram Thakur, principal security response manager at Symantec, told SCMagazine.com that the app has been hosted at various sites, but has not been seen in the official Google Play store.
Interestingly enough, users often believe they are downloading a Skype app from sites that allows them to make free phone calls, Thakur said.
It's only when they download the Fake Defender app that they see their device overtaken by the "Android Defender" virus scan.
The malicious app also warns users that malware is trying to steal pornographic content stored on their device – an additional con to spur victims into emptying their pockets.
“In our testing, there was no simple solution to removing this [ransomware] – just as we've experienced on the PC side,” Thakur said.
Depending on the malware's compatibility with the infected device, a factory data reset may be necessary. But if the trojan makes that impossible, users may have to do a hard reset, which requires them to enter a specific key combination or to connect the device to a computer – which could mean shipping the device back to the manufacturer, Thakur said.
Rogue AV scams in the mobile environment could make the schemes even more successful, he said. Since users spend so much time on their mobile devices, they may move quickly to respond to any threats, even if they are bogus.
“People are getting a lot more reliant on their phones these days,” Thakur said. "They probably carry out about 80 to 90 percent of their waking day on them. In terms of urgency, people are a lot more sensitive about their phones than their PC."