Android users should be very vigilant when choosing mobile apps as a new strain of ransomware named Slocker is has made a comeback with over 400 unique variants targeting employees and corporate data. Slocker has been known since the second half of 2015, when the threat was among the top 5 Android malware families. The infection would disable the back button on the device and display an intimidating message. User, however, did have some time to try removing the infection by pressing the home button and dragging the app to the top to uninstall it.
In 2016 the threat hit the headlines after causing havoc among SMB companies when the employee's mobile devices were locked up. The Slocker ransomware is considered to be the first Android ransomware that encrypts files on mobile devices and use the TOR anonymizing network to communicate to its command-and-control (C&C) servers.
The notorious ransomware of August 2016 has caused enormously big financial damage which was estimated at around $10 million. The precise costs of the damage were not revealed. Soon the compromised devices were updated, and the infection seemingly disappeared. The threat of mid-2016 and the recent variants are targeted at the business sector through third party mobile apps stores and websites. All the variants are reported to have very low detection rates.
The new strains of the ransomware are dubbed polymorphic as they have been redesigned to bypass all known detection techniques. For example, the variants have altered icons, changed package names, unique resources, and executable files. The detected variants of the Slocker ransomware spread as fake health apps, podcasts players, media players, and other applications. One of the most famous changes in Slocker's app icon is the shift from a red circle to an image of Iron Man. Minor changes are also present in the texts displayed to the end-user, including grammar enhancement and regional variations.
Upon installation, Slocker scans the device for photos, images, text files, video and audio files, and encrypts the data found with the AES encryption algorithm. Once the infection completes the encryption process, it hijacks the phone, which results in blocked access to the screen and the display of a threatening message. Usually, the message informs the victim that the data encrypted will be permanently destroyed or exposed unless the ransom fee is paid. In some case, the victim is accused of storing some adult-related content, which is claimed to be the cause of the lock-up. On top of that, some variants have been programmed to take over administrative rights, meaning that the remote attackers can access a victim's camera, speakers, and microphone.
The latest versions of the Slocker ransomware were discovered by Wandera Inc, a mobile security firm. More specifically, the malicious variants were identified by the mobile intelligence engine MI:RIAM, which analyzed the malware's architecture. In total, the detection number has increased to approximately 3,000 variations. The MI:RIAM engine is powered to learn the structure of malware and other Internet threats which leads to successful discovery of new threats. MI:RIAM is also capable of analyzing data inputs from the multiple mobile devices connected to Wandera's platform in order to compare the behavior of multiple devices and identify anomaly.
This wave of Slocker is known as the second since mid-2016. The Slocker ransomware was also found pre-installed on some Android devices alongside Loki, which is a data stealing Trojan horse that also displays advertisements generating revenue. Fortunately to the affected users, the Loki Trojan was employed to download other applications and display superfluous advertisements. In total, 38 devices were found.
The findings show that ransomware is evolving and is powerful enough to hoax both Windows and Android users. The profits made by ransomware is growing every year, and security experts are doing their best to raise awareness of the danger of questionable software sources. It is crucial to avoid third-party software and mobile app distributors in order to avoid installing a piece of dangerous malware or a backdoor for destructive Trojans or ransomware. Before installing a mobile app, it is worth checking its reviews to ascertain whether it has been installed successfully by real users and hadn't cause any issues.