A new Android ransomware delays activation of malicious functionality and works to confuse anti-virus solutions, researchers said.
The malware was inside the repackaged Russian entertainment social network app OK, which the malware author disassembled to insert malicious code, Zscaler researchers said. The legitimate variant of OK, which has over 50 million downloads in Google Play, did not suffer compromise.
The first evasion technique used starts up malicious activity four hours after initial download. Most detection mechanisms expect malware to immediately start operation, meaning this ransomware won’t be immediately detected.
After the four hours, users end up prompted to activate device administrator rights for the application. Users can’t dismiss the activation screen and clicking the “Cancel” button won’t help either, because the screen is immediately re-displayed until admin rights are enabled, the researchers said in a blog post.
As soon as this happens, the malicious app locks the device’s screen and displays a ransom note.
Users receive the message they need to a 500 Rubles ransom to restore data and unlock the device. The attackers also attempt to scare users into paying by claiming that they would send a message to all the victim’s contacts to inform them that the device has been “blocked for viewing child pornography.”
The malware does not exfiltrate any of the victims’ data, and it has no means of unlocking the compromised device, researchers said. Although the ransomware does inform the command and control (C&C) server of the new victim, it has no mechanism to confirm the ransom was paid, meaning the device remains locked regardless of victim’s willingness to pay or not.
In addition to the delayed start of malicious activities, the ransomware’s malicious code is highly obfuscated.