Android Ransomware Predictions Hold True

Contributor: Lionel Payet

Back in June we discovered a malicious Android application that was holding user’s Android phones for ransom. This discovery confirmed earlier predictions that ransomware would evolve and arise on new platforms, such as mobile devices.


As part of our pre-emptive SMS spam domain identification, we have detected a recently-registered domain that is currently serving a new Android FakeAV app using ransomware social engineering.  Different hints led us to believe that this application is linked to, or coming from, the same authors behind Android.Fakedefender, which we blogged about back in June. Despite it using a new design and a different ransom payment method, this new variant still contains the older images in its package file. Both versions mainly target Russians users.

Although we have not confirmed the infection vector of this variant we suspect spam, containing a link to the malicious domain, is used.

Domain picture 2.JPG

Figure 1. Recently-registered domain serves malicious Android app

The author behind this malicious application helps users install Android apps from unknown or third-party sources.

Symantec detects this malicious app as Android.Fakedefender.B. It has been impersonating the official application of an adult video website and user who falls prey to the social engineering and installs the app will end up locked out of their Android device.

Once installed a warning message prompts users to run an antivirus scan before entering the full application.

The previous version of this malware impersonated the Android Defender app. In this version, the malware impersonates the Avast antivirus brand. As soon as the antivirus scan finishes, it tricks the user into believing their device is infected by different threats and viruses and informs them their device is locked for protection.

In this variant, the ransom payment method the authors use is MoneyPak—$100 USD to unlock the device— compared to the previous version where the malware authors were asking for the user’s credit card number in exchange of unlocking their phones.  Web money is a popular payment method used by FakeAV and ransomware threats on the Windows platform and has been for many years now. Paying through one of these Web payment companies would perhaps appear more legitimate and secure to affected users than directly handing over their credit card details.


Figure 2. Fake AV app

Since FakeAV and ransomware on Windows systems have been successful for many years – continuing to evolve with new techniques and designs – we have been expecting Android mobile malware to evolve in the same way and come up with new tricks in order to entice users into paying ransoms.

At this time, Android.FakeDefender.B is not incorporating any exploits in an attempt to stop victims from removing the infection. We have previously seen other Android malware, such as Android.Obad, using exploits to surreptitiously extend device administrator privileges making the malware removal difficult. The authors of Android.FakeDefender.B are relying on social engineering and simple tricks such as continuous pop-ups in attempts to extort money from its victims. Anyone infected with Android.FakeDefender.B can manually uninstall the software through Application Manager on their Android device.

To avoid being initially infected, Symantec recommends all users install a mobile security app, such as Norton Mobile Security or Symantec Mobile Security. Malicious apps can also be avoided by only downloading and installing apps from trusted app markets. For general smartphone and tablet safety tips, please visit our Mobile Security website.

Multiplatform Fake AV Uses Different GUIs

Since the beginning of October we have seen a variant of fake antivirus malware that belongs to the FakeRean family of rogue security products. FakeRean is distributed by drive-by downloads or is dropped and executed by another malware. It blocks victims from accessing any other legitimate application on an infected machine. Like other fake AV products, it claims to detect infections and displays alerts to scare users into purchasing “protection.” In reality this program does not scan your computer. These rogue malware extort money from PC owners to “fix” their systems. This malware also blocks users from accessing or executing any .exe file on the victim’s machine.

The main difference with this rogue is that it brings up a different GUI depending on the version of Windows it infects.

We can see some GUIs below:


Once executed, the Trojan disables the security system on the victim’s machine.

Like other infections of rogue security products, this variant scares its victims and steals money if they pay for protection. The malware tricks the victims into purchasing the “full” version.

Victims can regain control of their machines by clicking the Manual Activation tab, as shown below, and entering the activation code 3425-814615-3990. This will not remove the malware but it will allow users to work again.

A series of fraudulent progressive bars and scans will show up when the victim clicks Continue.

After the fake updates have been “downloaded,” a victim’s Internet browser will work normally.

The malware is designed to select the color radiant of the GUI that it uses.

The Trojan enumerates the running processes, looking out for AV and security-related services. If found, it terminates them.

A new UPX-packed file is written in memory and executed.

After we unpacked the file, we found many strings that appear on the fake AV GUI.

Advice to Customers

Keep your systems updated with the latest patches. Insure your antimalware software is updated with the latest DATs. Always run a reputable firewall on your machines. And beware of drive-by downloads when visiting any new websites.









‘System Progressive Protection’ Another Form of Fake AV

System Progressive Protection, a new malware pretending to be antivirus software, first appeared a couple of days ago. It belongs to the Winwebsec family of rogue security products. The malware is distributed by drive-by downloads or is dropped and executed by another malware. It blocks its victims from accessing any other application on an infected machine. It claims to detect infections, and displays alerts to scare users into purchasing protection. These rogue malware extort money from PC owners to “fix” their systems. In reality, this program doesn’t scan your computer at all.

Once the “scan” is complete, System Progressive Protection scares its victims by reporting some applications infected by malware. The malware also connects to IP address through port 1214. The victim cannot run any applications at this point. The malware claims all applications are infected by some malware.

When the victim attempts to activate System Progressive Protection, a web page opens and asks for an online payment.

The malware tells its victims to enter the activation code.

After victims enter the activation code, they can again use their applications, but the fake AV still remains on the machine.

After registering, victims see a message that all the infections have been cleaned. They also get an Internet shortcut file to System Progressive Protection support.

This web page appears to offer a user guide, support, and FAQ.

The malware writes a new file (compressed with PECompact) in memory and executes it.

The encrypted data is taken from .rsrc section.

Files dropped on the victim’s machine after infection:

  • %Desktopdir%\System Progressive Protection.lnk
  • %Programs%\System Progressive Protection\System Progressive Protection.lnk
  • %AppData%\[random]\[random].exe

Registry entries to be removed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “[SET OF RANDOM CHARACTERS]“
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Progressive Protection\

Removing this rogue AV is comparatively easy. Dropped files and registry entries must be deleted. The malware blocks many of the victims’ applications but not Internet Explorer. They can still get online to seek help from antimalware websites:


Advice to Customers

Keep your systems updated with the latest patches. Ensure your antimalware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites.

Ransomware Uses McAfee SECURE, Police Logos to Scam Users

McAfee Labs researchers have seen an increase in instances of the McAfee SECURE logo being falsified as part of a “ransomware” campaign. Once a machine is infected, the malware checks to see which country the user is located in. It then displays a localized graphic containing a police logo and a message announcing that the machine has been locked and can be unlocked only after payment has been made via Ukash or a similar online payment mechanism. (For more on how ransomware operates, read this blog from my colleague François Paget.)

An infected machine located in Ireland might display an image similar to this:

However, an infected machine in Germany might look like this:

Both look official, yet both are unfortunately very much a scam. Users should never pay to have their machines “unlocked.” We often see this type of ransomware attempt to download further malicious software to the machine; so even if the machine has been unlocked there can be more malware waiting in the wings.

We have seen ransomware in various forms for many years, but new variants are regularly released by malware authors to try to avoid detection. As ever, users should keep their antivirus definitions updated, run a personal firewall and URL reputation software, and employ best security practices at all times.

We have seen the McAfee SECURE logo misused not just as part of this campaign, but also on malicious websites attempting to fool users into trusting the site. However, there are some simple steps you can follow to be sure that you are seeing the genuine article. You can read about those here. Furthermore, if you are using McAfee SiteAdvisor, true McAfee SECURE customers will be marked in your search results. Here’s an example.