Look out for an increase in cryptolocker-style ransomware targeting mobile devices. The lure for cybercriminals is the continuing growth in the number of Android devices – and the success of ransomware attacks on PCs and company networks.
“Malware vendors are focusing more on cryptolockers and bringing this over to mobile devices. We are waiting for these focuses to converge,” said Mihai Grigorescu, Android analyst at Avira. “We are already in the situation where a lot of Android malware are creating lock screens and they are also encrypting files. On our opinion, the number of malware files that use this method will increase in the future.”
Previous ransomware attack attempts on mobile devices relied on user gullibility more than the strength of their encryption.
“The most known were the “police” types where they would lock the screen but not encrypt the phone itself. But, I think it is just a matter of time till most of them start encrypting the contents,” he said.
According to the latest Google Android Security Report, the two major forms of ransomware either encrypt data on the device’ external storage (like a SD Card) or prevent the device from functioning normally.
The two primary defenses between smartphone owners and an onslaught of ransomware are the user common sense (not giving permissions on the device to malicious apps) and Google’s own controls on the Google Play Store.
With Android, the user usually has to give permission for an app to download or make changes to the device. While this protects users from damaging themselves in many circumstances; there are still some workarounds which enable the malware to circumvent user settings.
Secondly, Google has pointed out – and Avira research confirmed – that most Android malware is distributed outside the official Google Play Store and is presented to the user often as a “legitimate” app for viewing pornography or as a Flash or media player. Within its own Play Store, Google is keeping quite tight controls on the app quality.
“Malware is coming from third-party app stores or from infected websites. It is very easy to implement some code into a website which downloads an app and demands the user to install it. Often the download code is implemented in an adware platform used on the website and the downloads are not made every time you open the website,” explained Grigorescu. “If it looks like something common such as a software update announcement, most users don’t check and just install the malware. Depending on the malware family, a lock screen with a payment request can be shown and files such as pictures or documents are encrypted in the device’s storage.”
Moral of the story: Be careful where you go and what you agree to.