Ransomware masquerades as FBI, Android users in the crossfire
Thousands of Android users have been targeted by a ransomware that demands users to pay $500 to restore access to their smartphone, according to Bitdefender, the anti-malware provider.
Posing as an Adobe Flash Player update, the malware is installed as an innocent video player. However, when the user begins to run it a fake error message is displayed purported to be from the FBI.
After pressing ‘OK’ to continue, users see an ‘FBI warning’ and are unable to navigate away from the programme.
The device’s home screen then delivers a fake message telling users they have broken the law by visiting pornographic websites.
Hackers have also included screenshots of users’ purported browsing history in the malware to make the message more compelling, as well as claims to have screenshots of the victims’ faces and locations.
In order for users to restore access to their device, hackers demand $500. Although, if users try to ‘independently unlock’ their devices, the demand triples to $1,500.
Users are prompted to pay the fee by transferring money via Money Pak and PayPal My Cash.
Bitdefender has detected this threat as the ‘Android.Trojan.SLocker.DZ.’; one of the most prevalent Android ransomware families.
According to Bitdefender’s internal telemetry, multiple versions of this malware family are available, bundled with spam messages originating from different .edu, .com, .org and .net domain servers.
More than 15,000 spam emails containing malicious .apk files has hit the inboxes of Android users in the last few days, including zipped files detected from servers located in Ukraine, says Bitdefender.
Safety recommendations for users
Unfortunately, there is not much users can do when they fall victim to ransomware, even if this particular strain does not encrypt the files on the infected terminal, says Bitdefender.
When a user is attacked by ransomware, the device’s home screen button and back functionalities are disabled.
Turning the device on and off doesn’t help either because the malware continues running when the operating system boots.
In certain circumstances, Android users can reclaim control of their devices. For instance, if they have Android Data Bridge (ADB) enabled on their infected Android, as they can programmatically uninstall the ransomware application.
If supported by the mobile device, users can also start the terminal in Safe Boot, which allows the user to load a minimal Android configuration which prevents the malware from running. This approach can buy enough time to manually uninstall the malware.
Here’s list of recommendations for users to prevent falling victim to ransomware:
- Never install applications from untrusted sources. Android blocks the installation of applications outside the Play Store by default, but there are instances when users are forced to change the settings (i.e. when using third-party Android markets). If possible, leave this option in its default state.
- Regularly back up your data in the cloud or on an external drive.
- Use an anti-malware solution for your Android device and keep it constantly updated and able to perform active scanning.
- Follow good internet practices; avoid questionable websites, links or attachments in emails from uncertain sources.
- Use a filter to reduce the number of infected spam emails that reach your inbox.