The ransomware is reportedly focused on attacking users who speak Russian, according to bleepingcomputer.com, and is missing decryption functionality. So if a device belonging to someone within your organization is compromised, their phone may not be able to be unlocked, even if the ransom is paid.
The cybercriminals are using third-party stores to spread this. They operate rather simply and even copied former malware hackers by finding a popular app to clone and then disassemble. The cyber-criminals then change the apps normal behavior and put the ransomware playload in the code of the app. They staple the crime by making the code incredibly unclear with complex algorithms, repackage the application and upload it to an app store.
The ransomware even waits four hours before launching pop-ups that aim to acquire administrator rights. And as bleepingcomputer.com reported, the pop-ups do not stop until the app gains what it’s after. Then, it’s able to lock the user’s screen and demands 500 Russian rubles, which is equal to about nine American dollars.
So why would a user pay the ransom? If infected, they will receive a note that threatens to send an SMS message to all of the user’s contacts saying that the victim was found watching illegal adult footage.
This new threat may reportedly be a version of the SLocker Android ransomware. If you think your device may be infected, it’s important to boot said device in safe mode and remove the administrator account along with the app.
Also, keep in mind that it’s possible that this app slipped into the major app stores.
“Considering the stealth tactics designed into this sample, it wouldn’t be difficult to imagine the author successfully uploading this ransomware to the Google Play Store,” Gaurav Shinde, Zscaler analyst, told bleepingcomputer.com.
Google addressed the concerns in a blog post and reported that one in 10,000,000 app installs from the tech giant’s Play Store have a ransomware infection label, but one in 10,000 app installs from untrusted sources like third-party stores deliver ransomware strains.
Keep that in mind while shopping for your next app.