900,000 Android Phones Hit by Ransomware in 30 days

You are guilty of child porn, child abuse, zoophilia or sending out bulk spam. You are a criminal. The Federal Bureau of Investigation has locked you out of your phone and the only way to regain access to all your data is to pay a few hundred dollars.

That message — or variations of it — has popped up on hundreds of thousands of people’s Android devices in just the last month. The message claims to be from the F.B.I., or cybersecurity firms, but is in fact the work of Eastern European hackers who are hijacking Android devices with a particularly pernicious form of malware, dubbed “ransomware” because it holds its victims’ devices hostage until they pay a ransom.

Ransomware is not new. Five years ago, criminals in Eastern Europe began holding PC users’ devices hostage with similar tools. The scheme was so successful that security experts say many cybercriminals have abandoned spam and fake antivirus frauds to take up ransomware full time. By 2012, security experts had identified more than 16 gangs extorting millions from ransomware victims around the world.

Now those same criminals are taking their scheme mobile, successfully infecting Android devices at disturbing rates. In just the last 30 days, roughly 900,000 people were targeted with a form of ransomware called “ScarePackage,” according to Lookout, a San Francisco-based mobile security firm.

“This is, by far, the biggest U.S. targeted threat of ransomware we’ve seen,” said Jeremy Linden, a senior security product manager at Lookout. “In the past month, a single piece of malware has affected as many devices in the U.S., as a quarter of all families of malware in 2013.”

In addition to ScarePackage, Mr. Linden and a team at Lookout have also been tracking another strain of ransomware dubbed “ColdBrother,” or “Sypeng,” which not only locks users out of their device, but can take a photo from the device’s camera, can answer and drop phone calls and search for banking applications on the device.

And in just the last three weeks, Lookout discovered a new form of ransomware called ScareMeNot, which has already managed to infect more than 30,000 Android devices.

Victims get infected with the ransomware through a method known as a “drive-by download” in which they simply need visit a website — in some cases a pornography site — to inadvertently download the ransomware onto their machine. In other cases, they download the ransomware by downloading fake apps that masquerade as popular services such as Adobe Flash or an anti-virus product.

Once infected, it is very difficult to remove. Typically, criminals will flash a fake image onto the user’s screen which purports to be from the F.B.I. or Mandiant, a cybersecurity firm now owned by FireEye, or a U.S. cyber crime task force, informing them that they have violated a law and will not be able to regain access to their device and data until they have paid several hundred dollars in a Moneypak voucher.

An example of a fake message purporting to be from the F.B.I. on a hijacked Android device infected with so-called ransomware.

It is unclear whether users will then actually regain access to their device if they pay. Lookout said it did not get that far because it refused to pay any money to cybercriminals.

By reverse coding the ransomware, Lookout’s engineers found several clues indicating that the ransomware’s authors are of Eastern European origin. Russian and Slavic words and slang appeared in the code.

Lookout’s chief technology officer, Kevin Mahaffey, cautioned that Android users not “freak out.” Mr. Mahaffey suggested that people be careful about links they visit and where they download apps from. “There’s malware in the Google Play store but there’s more malware outside Google Play,” Mr. Mahaffey said.

Most importantly, Mr. Mahaffey said, if you do find yourself inadvertently installing an application, be sure not to grant the application any administrator privileges.

Of course, Lookout has a vested interest in publicizing this mobile ransomware threat. Lookout, which just received $150 million in venture capital financing, detects and stops these strains of ransomware from infecting users who download its mobile app for Android and iPhones.

Source – http://bits.blogs.nytimes.com/2014/08/22/android-phones-hit-by-ransomware/?_php=true&_type=blogs&_r=0