Story image

Symantec detects ransomware variants created directly on mobile devices

04 Oct 2016

Symantec has discovered new variants of Android.Lockscreen (ransomware) that are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

In a recent blog post, Dinesh Venkatesan a principal analyst at Symantec, highlighted the fact that previous versions of these threats locked the screen and used a hardcoded passcode.

However, Symantec analysts have been able to reverse engineer the code to provide victims a way to unlock their devices.

Venkatesan also says the attackers have combined a custom lockscreen with the device's lockscreen to create an additional hurdle for those infected.

“Symantec has seen several variants of a known ransomware family that were developed on Android devices using the Android integrated development environment,” he writes.

"However, the ability to create malware on mobile devices may open up new avenues in the future creation of malware."

As the techniques used to create new ransomware threats on mobile devices are relatively new, the principal analyst adds that a bit of explanation is in order.

“These ransomware threats were created using the rapid application development (RAD) model of software development. This method is typically used for software that requires rapid prototyping and is driven by user interface requirements,” he says.

“This is a particularly suitable way to develop mobile applications because of their reliance on a strong graphical user interface (GUI).”

According to Venkatesan, RAD utilises GUI builders that can make it easier to build applications because of their drag-and-drop wizard functionality, which can be used to build the interface and app.

“Integrated development environments (IDEs), another integral part of the RAD model, help developers to rapidly build an application by automatically generating boiler-plate code,” he explains.

“These functions make it easier for developers, and in this case, attackers, to rapidly create software without worrying too much about planning and design.”

In order to actually develop ransomware on mobile devices, Venkatesan explains that the tools required to build Android apps are computer-based software.

“That means, in order to use them to build Android apps, the developer will need a computer, which is the most common practice when it comes to app development. In this specific case, attackers have used an IDE to design, build, implement, modify, and sign variants of Android.Lockdroid.E directly on mobile devices,” he explains.

“Manipulating the existing code to create newer variants with different configurations is nothing new from a traditional malware development practice.”

However, Venkatesan adds that the adoption of RAD methodology shows how attackers are attempting to find quicker, more flexible ways to create malware.

To protect against these threats, Symantec recommends the people at risk keep their software and operating systems up to date, don’t install apps from unfamiliar sources, back up their devices and install a suitable mobile security app. 

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.