Ransomware is a real threat and it has now found a new home. In a surprising and shocking revelation, a ransomware app managed to get into Google play store damaging at least one real world device. A charge app named EnergyRescue was installed by few innocuous Android users expecting it to be a new charging app. Later, one of the user complained about all lost data and ransom amount on a social media platform. It quickly made a headline.
Ransomware like Cerber & CryptoLocker have already been haunting Windows users. In one of the shocking news, half of the users end up paying ransom amount due to the sensitivity of the data (read more). Mobile ransomware an emerging threat and this could become a big issue in the future. It also points out the fact that large number of Android users are vulnerable.
EnergyRescue mobile ransomware was found on the Google play store. Initially, it stole all the contacts and other sensitive data like SMS etc. Upon granting administrator rights, the app would lock the entire device and ask for a ransom. Imagine what would have happened if this app had managed to slip into millions of device. The app asked for 0.2 bitcoin– around $180– in a ransom amount as it happens typically in all incidents. Following was the message given on the device.
You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data. All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family.
The threat like selling the data in black market makes the situation worst. All personal data like credit card info, password, sms, social accounts, bank account and contact details are stolen and stored on remote server.
Researchers are yet to find out where the code was generated or downloaded from. Devices s located in the Ukraine, Russia, or Belarus doesn’t run the malicious code. This implicates that the cybercriminal behind mobile ransomware might be based out of Eastern Europe. Of course, it is still unknown if the data was really stolen and backed up on remote server. In many cases such claims are false just to trick the users into paying the ransom amount. Bitcoin is always a preferred payment option in such case making it impossible where the money is going to.
As of posting this, the ransomware app has been taken down from the Google play store. Investment is going on to see how the malicious code was injected in the app. The app development company has been given full support to help the researchers. However, it is believed that this might just a small testing before a large attack happens. To make the situation worse, cybercriminals can also push it to a large number of users. Imagine how easily they can distribute it via APK files hosted on apps not hosted on Google Play store.
The malicious code was inserted smartly. Researchers are yet to find out the original. It also escaped from Google’s bouncer security scanner app. This hints at the code that could have stopped the code from running on Android emulators making it impossible for Bouncer to detect. Users must be more careful about what they install from the Play Store. One should install only trusted app. It also points out the fact that one must take necessary action to stop ransomware distribution.
As a dedicated section on ransomware, we should be providing a guide on how to prevent ransomware being installed on the mobile, Windows and Mac device. Have you ever been a victim of ransomware? Do let us know your view about the same.