New Android ransomware bypasses all antivirus programs. Infection continues even after the victim pays the ransom.
The Zscaler ThreatLabZ team has found a new variant of Android Ransomware. What makes this variant particularly scary is that it evaded all the antivirus programs tested against it at the time of writing this blog. During our investigation, we uncovered some other interesting findings.
One of the targeted apps is called ‘OK’, and it’s one of the most popular Russian entertainment social network apps. The targeted legitimate app is available on the Google Play Store and has between 50,000,000 – 100,000,000 installs. It is important to note that the OK app available on Google Play Store is NOT malicious. Fortunately, we haven’t yet spotted the new ransomware strain on the Google Play Store, but as you’re about to read, the techniques leveraged by this malware improve the chances for the payload to make it on the Google Play Store.
What happens when the malicious package is installed?
Similar to the aggressive adware samples found in Google Play Store that we covered in our blog last week, this malware stays silent for the first four hours after it is installed, allowing the original app to operate without any interference. This technique also allows the ransomware to evade antivirus engines as the app is executed. After four hours, users will see a prompt to add a device administrator as shown below.
Even if a user presses the Cancel button, the prompt reappears quickly, preventing the user from taking any other action or uninstalling the app. As soon as a user presses the Activate button, the screen will be locked and a full-screen ransom note will be displayed. …