Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Ransomware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

SLocker no slacker: Researchers detect 400-plus new subvariants of Android ransomware

After two months of quietude, the Android ransomware SLocker commenced a new feeding frenzy late last year, introducing over 400 new subvariants into the wild from December 2016 through February 2017, mobile services provider Wandera has reported.

"These strains are targeting businesses' mobile fleets through easily accessible third party app stores and websites where rigorous security checks go by the wayside," Wandera stated in a blog post on Wednesday.

Wandera found that these newer samples were more sophisticated than those detected during the polymorphic ransomware's peak activity last year between June and October 2016, before SLocker campaigns tapered off significantly. These latest subvariants have altered icons, package names, resources and executable files in order to avoid signature-based detection, as well as employed obfuscation and encrypted strings, the blog post explains.

In one case, for instance, SLocker's app icon was changed from a red circle to an image of Iron Man. "There are others masquerading as health apps, podcast players and jailbreak apps that are finding ways to avoid detection," said Covington, who suspects the pause in SLocker activity taking place from October through December 2016 was likely the result of security solutions initially catching up to the threat, before it recently evolved.

According to Covington, the basic functionality is essentially the same among the hundreds of new subvariants found; however, each is packaged "using different techniques and with slight changes to the underlying code." Covington also noted various differences in end user-facing text, including improvements in grammar and regional variations.

SLocker also made news recently for being found pre-installed on the Android devices of two large technology companies, along with the malicious adware and information stealer Loki.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.