SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
20 Dec 2016

It's now commonplace for Android banking trojans to include ransomware features

The current generation of Android banking trojans are all equipped with ransomware-like features in order to lock the user's device, and in some cases encrypt data.

Despite possessing such dangerous functions, very few Android banking trojans deploy them, focusing on their primary job of collecting login credentials for banking portals and instant messaging applications.

Nevertheless, when the ransomware feature is activated, the crooks behind the banking trojan do it for a very good reason. In most cases, the trojan's ransomware feature is used as a secondary monetization feature, activated on devices where the original banking trojan has failed to collect login credentials or credit card details. Not all users who get infected with an Android banking trojan use banking applications, so the ransomware feature is the crooks' last ditch effort to extract some form of payment from their victims. One such threat is Android.SmsSpy.88, detected by Dr.Web security researchers this May and rented on underground hacking forums.

Ransomware used to keep victims "busy"

But there's a more insidious reason to activate a banking trojan's ransomware screen-locking feature, and that's to keep users busy as attackers initiate fraudulent transactions. While the user is trying to figure out how to unlock his phone, crooks hope the victim would be to busy to see the SMS or email alerts he receives for large or fraudulent transactions that take place inside his bank account.

By the time the user manages to remove the ransom screen or reinstall his device, attackers had hours, even days, to move the stolen funds to different bank accounts, and withdraw them via ATMs, so authorities lose their tracks. The best example for this is a malware detected only as Fanta SDK, discovered by Trend Micro at the end of May.

New banking trojan supports mobile crypto-ransomware

These two, Android.SmsSpy and Fanta SDK, along with the original Svpeng banking trojan, the first to add ransomware-like features, only came with support for locking the user's screen with a random PIN. According to Kaspersky Lab's malware analyst Roman Unuchek, a recent version of the Faketoken (Trojan-Banker.AndroidOS.Faketoken) trojan has now added ransomware features that support encrypting user files as well, just like modern-day desktop ransomware.

The Faketoken encryption process uses the AES algorithm to lock files. Files with 89 different extensions are targeted, but according to Unuchek, the encryption feature is rarely used, the trojan focusing on its phishing capabilities, which currently target more than 2,000 financial apps and users in 27 countries.

The trojan, which first appeared in July 2016, is your regular run-of-the-mill Android banking trojan, but its crypto-ransomware feature shows a glimpse of the future of Android banking trojans, which will find ways to extort money from all victims, not just a selected few. Similarly, another Android banking trojan called Tordow also featured support for encryption-based ransomware features.

Nevertheless, due to nature of today's mobile OS landscape, mobile ransomware is not as dangerous and efficient as on desktops and laptops. "We would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently)," says Unchuk, "which may be because most files stored on a mobile device are copied to the cloud. In other words, demanding a ransom in return for decrypting them is pointless."

Tags:
Android information leaks trojan
Source:
BleepingComputer
1944
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015