Android Ransomware Predictions Hold True

Contributor: Lionel Payet

Back in June we discovered a malicious Android application that was holding user’s Android phones for ransom. This discovery confirmed earlier predictions that ransomware would evolve and arise on new platforms, such as mobile devices.


As part of our pre-emptive SMS spam domain identification, we have detected a recently-registered domain that is currently serving a new Android FakeAV app using ransomware social engineering.  Different hints led us to believe that this application is linked to, or coming from, the same authors behind Android.Fakedefender, which we blogged about back in June. Despite it using a new design and a different ransom payment method, this new variant still contains the older images in its package file. Both versions mainly target Russians users.

Although we have not confirmed the infection vector of this variant we suspect spam, containing a link to the malicious domain, is used.

Domain picture 2.JPG

Figure 1. Recently-registered domain serves malicious Android app

The author behind this malicious application helps users install Android apps from unknown or third-party sources.

Symantec detects this malicious app as Android.Fakedefender.B. It has been impersonating the official application of an adult video website and user who falls prey to the social engineering and installs the app will end up locked out of their Android device.

Once installed a warning message prompts users to run an antivirus scan before entering the full application.

The previous version of this malware impersonated the Android Defender app. In this version, the malware impersonates the Avast antivirus brand. As soon as the antivirus scan finishes, it tricks the user into believing their device is infected by different threats and viruses and informs them their device is locked for protection.

In this variant, the ransom payment method the authors use is MoneyPak—$100 USD to unlock the device— compared to the previous version where the malware authors were asking for the user’s credit card number in exchange of unlocking their phones.  Web money is a popular payment method used by FakeAV and ransomware threats on the Windows platform and has been for many years now. Paying through one of these Web payment companies would perhaps appear more legitimate and secure to affected users than directly handing over their credit card details.


Figure 2. Fake AV app

Since FakeAV and ransomware on Windows systems have been successful for many years – continuing to evolve with new techniques and designs – we have been expecting Android mobile malware to evolve in the same way and come up with new tricks in order to entice users into paying ransoms.

At this time, Android.FakeDefender.B is not incorporating any exploits in an attempt to stop victims from removing the infection. We have previously seen other Android malware, such as Android.Obad, using exploits to surreptitiously extend device administrator privileges making the malware removal difficult. The authors of Android.FakeDefender.B are relying on social engineering and simple tricks such as continuous pop-ups in attempts to extort money from its victims. Anyone infected with Android.FakeDefender.B can manually uninstall the software through Application Manager on their Android device.

To avoid being initially infected, Symantec recommends all users install a mobile security app, such as Norton Mobile Security or Symantec Mobile Security. Malicious apps can also be avoided by only downloading and installing apps from trusted app markets. For general smartphone and tablet safety tips, please visit our Mobile Security website.