sb-nz logo
Story image

Symantec detects ransomware variants created directly on mobile devices

Symantec has discovered new variants of Android.Lockscreen (ransomware) that are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

In a recent blog post, Dinesh Venkatesan a principal analyst at Symantec, highlighted the fact that previous versions of these threats locked the screen and used a hardcoded passcode.

However, Symantec analysts have been able to reverse engineer the code to provide victims a way to unlock their devices.

Venkatesan also says the attackers have combined a custom lockscreen with the device's lockscreen to create an additional hurdle for those infected.

“Symantec has seen several variants of a known ransomware family that were developed on Android devices using the Android integrated development environment,” he writes.

"However, the ability to create malware on mobile devices may open up new avenues in the future creation of malware."

As the techniques used to create new ransomware threats on mobile devices are relatively new, the principal analyst adds that a bit of explanation is in order.

“These ransomware threats were created using the rapid application development (RAD) model of software development. This method is typically used for software that requires rapid prototyping and is driven by user interface requirements,” he says.

“This is a particularly suitable way to develop mobile applications because of their reliance on a strong graphical user interface (GUI).”

According to Venkatesan, RAD utilises GUI builders that can make it easier to build applications because of their drag-and-drop wizard functionality, which can be used to build the interface and app.

“Integrated development environments (IDEs), another integral part of the RAD model, help developers to rapidly build an application by automatically generating boiler-plate code,” he explains.

“These functions make it easier for developers, and in this case, attackers, to rapidly create software without worrying too much about planning and design.”

In order to actually develop ransomware on mobile devices, Venkatesan explains that the tools required to build Android apps are computer-based software.

“That means, in order to use them to build Android apps, the developer will need a computer, which is the most common practice when it comes to app development. In this specific case, attackers have used an IDE to design, build, implement, modify, and sign variants of Android.Lockdroid.E directly on mobile devices,” he explains.

“Manipulating the existing code to create newer variants with different configurations is nothing new from a traditional malware development practice.”

However, Venkatesan adds that the adoption of RAD methodology shows how attackers are attempting to find quicker, more flexible ways to create malware.

To protect against these threats, Symantec recommends the people at risk keep their software and operating systems up to date, don’t install apps from unfamiliar sources, back up their devices and install a suitable mobile security app. 

Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Report: Rushing into cloud migration directly related to security issues
A new report from Radware highlights the impact of COVID-19 on organisations compelled to digitally transform in order to maintain business continuity. More
Story image
OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.More
Story image
Security training and tech: Empowering staff in a hybrid work environment
As employees travel back and forth between home and the workplace, are they walking through the door with cyber threats sitting on their devices?More
Story image
Thales: A/NZ cybersecurity approach more talk than action
“While some organisations are talking a good story … predicted spending shows that most have the wrong focus.”More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More