New wave of Android Ransomware lurks behind FBI porn warning, finds Bitdefender

Thousands of Android users are at risk of having their mobile devices and private contents locked by a particularly ruthless ransomware that demands US$500 to restore access, warns antivirus solutions provider Bitdefender. Users that try to independently unlock their devices will see the amount increase to $1,500, with payment demanded via Money Pak and PayPal My Cash transfers.

Bitdefender has detected over 15,000 spam emails, including zipped files, originating from servers located in Ukraine. Posing as an Adobe Flash Player update, the malware downloads and installs as an innocent Video Player. When the user tries to run it, a fake error message is displayed.

"After pressing OK to continue, users see an FBI warning and cannot escape by navigating away," states Catalin Cosoi, Chief Security Strategist at Bitdefender. "The device's home screen delivers an alarming fake message from the FBI telling users they have broken the law by visiting pornographic websites. To make the message more compelling, hackers add screenshots of the so-called browsing history. The warning gets scarier as it claims to have screenshots of the victims' faces and know their location."

Bitdefender detects the threat as Android.Trojan.SLocker.DZ. This is one of the most prevalent Android ransomware families as the authors regularly create new variants. Bitdefender's internal telemetry shows multiple versions of this malware family, bundled with spam messages originating from different .edu, .com, .org and .net domain servers.

Catalin Cosoi continues, "Unfortunately, there is not much users can do if infected with ransomware, even if this particular strain does not encrypt the files on the infected terminal. The device's home screen button and back functionalities are no longer working, and turning the device on/off doesn't help either, as the malware runs when the operating system boots."

In certain circumstances, Android users can reclaim control of their devices. If ADB (Android Data Bridge) is enabled on the infected Android, users can programmatically uninstall the offending application.

Furthermore, if the mobile device supports it, users can attempt to start the terminal in Safe Boot. This option loads a minimal Android configuration and prevents the malware from running, which can buy enough time to manually uninstall the malware.

However, in the case of ransomware prevention is key. Bitdefender offers five useful tips for users to make sure they are not infected by the virus:

  • Never install applications from untrusted sources. Android blocks the installation of applications outside the Play Store by default, but there are instances when users are forced to change the settings. If possible, leave this option in its default state.
  • Regularly back up your data in the cloud or on an external drive.
  • Use an anti-malware solution for your Android device and keep it constantly updated and able to perform active scanning.
  • Follow good internet practices; avoid questionable websites, links or attachments in emails from uncertain sources.
  • Use a filter to reduce the number of infected spam emails that reach your inbox.

Comments (0)

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter