2015 Android malware Threat Report (I): threats caused by Android ransomware and SMS Trojans extend to multiple systems
Execution Summary
Ransomware has been plagued by Windows PC for the past few years. However, recently, ransomware's platform is no longer limited to Windows systems. It has reached out to Linux and Android.
Although the ransomware on these two platforms is not as advanced as Windows, Android ransomware still has serious consequences, resulting in interruptions in use and even serious economic losses. Bitdefender's Android telemetry technology detects the number of affected devices. The result shows that the ransomware ranked first among icons in the UK, Germany, and Australia is the Android. Trojan. Slocker ransomware family.
Android ransomware may cause more serious consequences than PCs, because mobile devices store more personal information that has not been backed up, and even enterprise data. Because the lost data or the data that has been denied access is irreversible, users are more inclined to pay for the recovery of contacts, information conversations, images and files.
Important survey results
19.55% of threats around the world are fake apps. These apps are installed with malware or are vulnerable to attacks;
45.53% of Android ransomware in the world points to the United States;
78.36% Of the world's SMS-sending malware targets American users;
The most ransomware countries are Germany, followed by Britain and Australia;
Ransomware benefits
In September 2015, Bitdefender research showed that victims of extortion were willing to pay $500 to reclaim data.
Whether it's Android ransomware, Windows ransomware, or even Linux ransomware, this type of malware service has become an economic industry. attackers will try to send malware to potential victims who are willing to pay for it.
For example, PC-side Cryptolocker/Cryptowall ransomware was reported to be sold for $3000, a business model that benefits both customers and malware developers. If there is a more effective distribution method, more victims will be infected, and the result is that the investment gains will be huge.
Linux ransomware is the latest type of malware because it is prone to encryption vulnerabilities and allows users to recover data without paying ransom, so it is easily ignored by security researchers, however, they agree that Linux ransomware may become more complex and common in future iterations.
As Linux-based servers run more and more network infrastructure, ransomware can infect Linux servers and lock Web servers more destructive than expected.
Mobile operating systems have the largest market share. ransomware on Android has also been found to be trying to lock the device, making it increasingly difficult to remove it from iteration.
Android devices spread
The number of Android devices worldwide has grown steadily over the past few years. According to shipment estimates, 2015 of Android devices were sold in 1.2 billion. In 2014, the number was around 1.1 billion. The slow sales volume of Android devices means that the number of mobile phones is saturated. We can learn from the data that a large number of devices are using Google's mobile operating system.
As more and more users accept the Android system and their market share continues to increase, malicious software developers also turn to Android and maximize their benefits. Malware authors see the same development trend as PC malware a few years ago. If the software being developed by malicious software developers at the beginning tends to harm the interests of victims rather than damage, today's PC threats will be as serious as the Android threats, because malware in the PC can steal user data and ask for money, not just damage the user's PC.
In 2015, 81% of the market share encouraged malicious software developers to secretly attack the mobile OS platform by collecting data or blackmailing victims with money.
Android ransomware Evolution
Because the Android operating system is more flexible than other operating systems, it allows users to load applications from untrusted or unauthorized sources, which is also a new open threat to the Android platform.
Although the number of users currently under attack is not large, some notorious Android ransomware variants have started to be active in the media. Some simple counterfeit and ransomware are hidden in simple applications. These apps have developed to send commands to every victim using commands and control servers, and then receive personal information, update the push to the infected device.
1. camouflage applications and counterfeit software
The first Android ransomware Variant Found in 2013 is not as mature as the PC-side ransomware. Its purpose is to disguise it as a legal application so that users can think their mobile phones are infected, their data is stolen." To fix this threat, you need to pay "full license", that is, to pay for the security solution to remove all the identified malware. Of course, if you try to manually delete this disguised application, you will find that the process of the application cannot be killed.
The malware development team behind PC-side ransomware Reveton/IcePol has also developed some similar ransomware on Android devices. A Video Player disguised as a video player that can access pornographic content. Unlike ransomware in Windows, malware in Android really requires user interaction to install apk files that can hold malware to confuse advanced users, however, it can only deceive a few technical victims.
Once the installation is successful, it starts to send the IMEI number to the victim's command and control server, and then fetch a. HTML webpage with the amount of money the victim should pay to regain their device messages.
Because the actual message is displayed in the browser window at the top of the screen, the key to deleting an application is that it pops up again or quickly uninstalls the device before it starts in safe mode.
Although this variant does not actually encrypt data on any device, it indicates that in the future, malicious software developers will be interested in using the same threat policy to attack Android devices.
2. PIN Lockers
Another innovative ransomware, PIN Locker, is a ransomware that can change the PIN lock of a device. Unlocking requires up to $500.
It acquires the device administrator permission by impersonating system updates, and can randomly generate a PIN lock to change the original password. Until now, ransomware has been blackmailed to users, so the new method is even more tricky.
Re-obtain the access permission of the device without losing all the stored data. The attacker needs to first obtain the root permission of the user, or present an M3M solution before infection. If the device is Root, it only needs to connect to the device through ADB (Android Debug Bridge), and then delete the file containing the PIN (such as password. key ). Otherwise, resetting the device is the only way to re-obtain permissions for the factory settings.
3. file encryption
Only a few samples of Android ransomware may be very similar to the PC version, and such encrypted files have become Simplelocker by the media. As a pioneer in this type, such ransomware has a high degree of maturity in development.
Android operating systems that prevent malware from interfering with encrypted files are stored in the internal memory of the device, but ransomware can encrypt data on an external SD memory card. Because users often rely on these SD cards to expand their memory capacity, ransomware has great potential to infect many victims.
Distribution and attack Media
One of the most popular distribution mechanisms is still the third-party transaction market, and there is already a precedent for malware entering the Google Play app store. Several CAPTCHA-Examples of bypassing Android malware have been reported by the Official Google market, two of which have up to 100,000 and 500,000 downloads respectively.
In addition to subscribing to high-price and high-quality application services, some advanced technologies have also designed obfuscation technologies for hiding classes, functions, command lines that receive commands, and control servers.
Other Android ransomware transmission methods include spam. attackers want users to read emails on Android devices. Bditdefender detects more than 15000 spam mails. attachments to these emails contain compressed files. The victim user must pay $500 to obtain the device access permission again.
Although ransomware rarely distributes malicious advertisements, this phenomenon still exists. In 2015, there were several reports that infected Android apps were distributed through internal apps, all affected users use the third-party application market. Since many PC-side ransomware have infected users in this way, we can assume that Android ransomware will be distributed in the same way in the near future.
Victim's reaction to ransomware
According to a Bitdefender survey, 50% of ransomware victims chose to pay ransom. Americans are most willing to pay for peace, followed by French and Romania, with a payment rate of 44% and 48%.
Note: There is no doubt that ransomware In the Android operating system will soon become an important way to threaten user information and property security. Mobile devices are becoming more and more important in our lives. Every day, we use smart machines more and more time than PCs. smart machines are becoming more and more powerful. When necessary, we all choose to work on a cell phone or tablet instead of a computer. Therefore, as a smartphone user, we need to learn how to protect our information security and ensure our own interests. Check the apk carefully before each download, not giving the root permission on the phone is a good way to prevent potential attacks.
In the 2015 Android ransomware Analysis Report (below), we will continue to explore Android ransomware, if you want to know the most serious ransomware attacks in the world, what other effective methods can be used to prevent or stop ransomware attacks, and how SMS Trojans invade the victims, please wait for future reports!