The current generation of Android banking trojans are all equipped with ransomware-like features in order to lock the user's device, and in some cases encrypt data.
Despite possessing such dangerous functions, very few Android banking trojans deploy them, focusing on their primary job of collecting login credentials for banking portals and instant messaging applications.
Nevertheless, when the ransomware feature is activated, the crooks behind the banking trojan do it for a very good reason. In most cases, the trojan's ransomware feature is used as a secondary monetization feature, activated on devices where the original banking trojan has failed to collect login credentials or credit card details. Not all users who get infected with an Android banking trojan use banking applications, so the ransomware feature is the crooks' last ditch effort to extract some form of payment from their victims. One such threat is Android.SmsSpy.88, detected by Dr.Web security researchers this May and rented on underground hacking forums.
Ransomware used to keep victims "busy"
But there's a more insidious reason to activate a banking trojan's ransomware screen-locking feature, and that's to keep users busy as attackers initiate fraudulent transactions. While the user is trying to figure out how to unlock his phone, crooks hope the victim would be to busy to see the SMS or email alerts he receives for large or fraudulent transactions that take place inside his bank account.
By the time the user manages to remove the ransom screen or reinstall his device, attackers had hours, even days, to move the stolen funds to different bank accounts, and withdraw them via ATMs, so authorities lose their tracks. The best example for this is a malware detected only as Fanta SDK, discovered by Trend Micro at the end of May.
New banking trojan supports mobile crypto-ransomware
These two, Android.SmsSpy and Fanta SDK, along with the original Svpeng banking trojan, the first to add ransomware-like features, only came with support for locking the user's screen with a random PIN. According to Kaspersky Lab's malware analyst Roman Unuchek, a recent version of the Faketoken (Trojan-Banker.AndroidOS.Faketoken) trojan has now added ransomware features that support encrypting user files as well, just like modern-day desktop ransomware.
The Faketoken encryption process uses the AES algorithm to lock files. Files with 89 different extensions are targeted, but according to Unuchek, the encryption feature is rarely used, the trojan focusing on its phishing capabilities, which currently target more than 2,000 financial apps and users in 27 countries.
The trojan, which first appeared in July 2016, is your regular run-of-the-mill Android banking trojan, but its crypto-ransomware feature shows a glimpse of the future of Android banking trojans, which will find ways to extort money from all victims, not just a selected few. Similarly, another Android banking trojan called Tordow also featured support for encryption-based ransomware features.
Nevertheless, due to nature of today's mobile OS landscape, mobile ransomware is not as dangerous and efficient as on desktops and laptops. "We would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently)," says Unchuk, "which may be because most files stored on a mobile device are copied to the cloud. In other words, demanding a ransom in return for decrypting them is pointless."