Researchers at Zscaler have found a new variant of Android ransomware that could evade detection on all mobile antivirus engines at the time of its discovery.
According to mobile cyber-security firm Zscaler, who first spotted the infections, the mysterious hijacker behind this threat are using different web source to spread their payload/ransomware..
Currently the hijacker has been targeting Russian-speaking audience, this ransomware lacks some basic decryption process. Means that even if they pay the ransom, the users infected with this ransomware variant cannot unlock their phones and recover their data.
How This Ransomware Works?
The working state is same and simple & has been replicated from various other ransomware that came before. Hijacker first finds a popular app on the Play Store, clone, and disassemble it.
Then the hijacker alter and insert the malicious payload into the app. At last, the hijacker binds the code with its own algorithms and repack the app, uploading it to various source on the internet.
When users download and install this untrusted app, thinking it was a legitimate application, the malicious app waits four hours before shattering the users phone screen with popups that ask him for administrator rights.
The popups are un-deniable, as they pop up over and over again until the app gets what it wants.
Once the app has admin rights, it locks the user's display with a note below, stating users they have to pay 500 Russian rubles.
After Popups the ransomware then try to lure users to pay, the ransomware then threatens the infected phone users into sending an SMS to all their contacts, and stating the victim was caught watching illegal adult materials online.
How Does the Ransomware Evade Antivirus security check?
Because it used very obfuscated code, but also because it employed a Java reflection technique to run its code.
The app also used a 4-hour delayed execution timer, it also evaded security solutions that relied on dynamic analysis, who usually install and interact with an app for up to a few minutes.
According to Zscaler analyst, Gaurav Shinde "Considering the stealth tactics designed into this sample, it wouldn't be difficult to imagine the author successfully uploading this ransomware to the Google Play Store".
Zscaler researchers say that an analysis of the ransomware's source code did not reveal any functions that checked if the user paid the ransom, let alone send SMS to all contacts in users phone.
In case users get infected with this new ransomware strain, researchers advise booting the device in Safe Mode, removing the Device administrator account and the app.