Over the last couple of months, two major threats to the constantly evolving cybercrime world are becoming more and more prominent. Cybercriminals are seeking new sources of profit, as the old ones become harder to exploit over time. Lately, we have noticed a new developing trend, a procreation that combines the two mentioned below.
The first trend on the rise is the targeting of Android systems. Although the subject is not new on underground platforms, and dedicated rooms for discussing vulnerabilities on Android were already opened a couple of years ago, we can definitely say that a big step forward has been made in recent months in this area.
Malware for Android is frequently seen on underground forums and uploaded to file-sharing platforms. Since the beginning of 2014 alone, we have monitored approximately ten malware tools for infecting Android devices, for example Dendroid, AndroRAT, iDroid (targeting both iOS and Android systems), Stoned Cat, etc. The modus operandi can be different, but the final target is always the same: monetary theft, as opposed to stealing credentials for mobile banking applications, sending premium SMS messages, or some other method. The infection technique also varies. It usually happens when the victim installs a new application that is actually the virus itself, obviously well-disguised as something harmless. Another infection vector is binding a malicious code to a legitimate application. Finally, there are the good old emails and SMS messages containing a link that initiates the download of malware.
The second trend is the growing number of ransomware viruses that lock the user’s computer and/or encrypt his files, then demand remuneration for restoring the computer to its initial state. The most infamous malware of this kind is Cryptolocker, but there are some more that we wrote about in the past.
If these two methods are profitable, why not combine them and increase the odds of earning more easy money? We recently noticed the sale of two “ransomware for mobile” products on the Russian underground. The first is called Block Android Mobile – offered alongside additional products by the same seller, such as Syslocker and BrowBlock. The seller and his services appeared on one of the closed Russian forums in February 2014, but the mobile ransomware was offered as a new function in April 2014. According to the seller, there are two APIs for this malware – the first redirects traffic to a lending page, where an automatic downloading of a malicious file occurs. The victim then has to run the APK file later. The second API injects the APK file, directly by the cybercriminal, wherever he desires. A deeper analysis of this malware was provided in the Malware don’t need coffee blog, as he came across its files in action.
Another ransomware for mobile is Tor Android Cryptolocker. This was offered for sale for US$5,000 about two weeks ago. Once installed on the mobile device, the malware blocks the screen, thus preventing its deletion. At the same time, it encrypts all the files of a defined format that are found on the SD card and in the phone’s memory (including music, photos, videos, etc.). The victim is asked to pay a certain amount of WebMoney, and then his phone is unblocked. The author was offering only three copies for sale. According to our last check, two were already sold. This probably means that we will soon see this malware in action.
Taking into account the important role that mobile phones play in our lives, this can be a very profitable means of money extortion. Buying a new phone may not always be cheaper than paying hundreds of dollars to get the old one back. And there are also all those pics and videos (of extremely high emotional value) that we do not always backup, although it is widely known that we should. Cyber criminals can be good psychologists sometimes, and they can hurt us in the most painful places.