SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Symantec detects ransomware variants created directly on mobile devices
Tue, 4th Oct 2016
FYI, this story is more than a year old

Symantec has discovered new variants of Android.Lockscreen (ransomware) that are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

In a recent blog post, Dinesh Venkatesan a principal analyst at Symantec, highlighted the fact that previous versions of these threats locked the screen and used a hardcoded passcode.

However, Symantec analysts have been able to reverse engineer the code to provide victims a way to unlock their devices.

Venkatesan also says the attackers have combined a custom lockscreen with the device's lockscreen to create an additional hurdle for those infected.

“Symantec has seen several variants of a known ransomware family that were developed on Android devices using the Android integrated development environment,” he writes.

"However, the ability to create malware on mobile devices may open up new avenues in the future creation of malware."

As the techniques used to create new ransomware threats on mobile devices are relatively new, the principal analyst adds that a bit of explanation is in order.

“These ransomware threats were created using the rapid application development (RAD) model of software development. This method is typically used for software that requires rapid prototyping and is driven by user interface requirements,” he says.

“This is a particularly suitable way to develop mobile applications because of their reliance on a strong graphical user interface (GUI).

According to Venkatesan, RAD utilises GUI builders that can make it easier to build applications because of their drag-and-drop wizard functionality, which can be used to build the interface and app.

“Integrated development environments (IDEs), another integral part of the RAD model, help developers to rapidly build an application by automatically generating boiler-plate code,” he explains.

“These functions make it easier for developers, and in this case, attackers, to rapidly create software without worrying too much about planning and design.

In order to actually develop ransomware on mobile devices, Venkatesan explains that the tools required to build Android apps are computer-based software.

“That means, in order to use them to build Android apps, the developer will need a computer, which is the most common practice when it comes to app development. In this specific case, attackers have used an IDE to design, build, implement, modify, and sign variants of Android.Lockdroid.E directly on mobile devices,” he explains.

“Manipulating the existing code to create newer variants with different configurations is nothing new from a traditional malware development practice.

However, Venkatesan adds that the adoption of RAD methodology shows how attackers are attempting to find quicker, more flexible ways to create malware.

To protect against these threats, Symantec recommends the people at risk keep their software and operating systems up to date, don't install apps from unfamiliar sources, back up their devices and install a suitable mobile security app.