Ransomware on Android & Infiltrated iOS: F-Secure Reports Attacks on Mobile Wallets & Virtual Currencies on Rise

Date:   Monday , December 14, 2015

Are smartphones the most lucrative target for cyber criminals? The answer has to be a resounding \'Yes\', due to multiple reasons. One, smartphone growth is booming, especially in emerging markets like India. A recent Ericsson report on mobility highlights that the total number of mobile subscriptions in Q1 2015 was around 7.2 billion, including 108 million new subscriptions. India grew the most (followed by China) in terms of net additions (26 million) mobile subscribers. Globally, smartphone subscriptions are set to more than double by 2020.

If you are a cybercriminal, you would undoubtedly be thrilled at the opportunity. You would also be thrilled as most smartphones do not have the same level of security when compared to traditional PCs. Mobile devices are naturally the new frontier. Attacks that have proved successful on PCs are now being tested on unwitting mobile device users to see what works and with the number of mobile devices with poor protection soaring, there are plenty of easy targets.

A recent report by F-Secure confirms this trend. Our Threat Report (H2, 2014) highlights that the growth of SMS sending Trojans and ransomware attacks on mobile wallets and virtual currencies on the rise . Both Android & iOS have experienced malware which have tried to attack the banking applications and mobile wallets in H2, 2014.
Cyber threats, including those targeting mobile devices, are directly linked to cybercrime. In most developed countries, creating and distributing malicious software is a criminal offence. Although such criminal acts are perpetrated in virtual environments, their victims lose real assets, such as personal data and money.

In the current scenario, threats locking the user\'s data and/or device for payment are continuously growing. Ransomware is one such threat that uses encryption or similar kind of mechanism to lock people out of their devices. Criminals use ransomware to extort people by locking them out of their devices unless they pay a ransom. Due to virtual currencies, it\'s becoming a lot easier for criminals to use ransomware, making it more profitable and more useful for them. But surprisingly, ransomware developers have created safeguards to ensure their malware doesn\'t infect the same victims again after they have paid a ransom. For end users, ransomware is today the most prominent kind of digital threat.

While Google\'s Android operating system continues to be the favored target for majority of mobile malware, threats directed towards iOS exist but there are far fewer of them. But this doesn\'t mean that iOS for Apple iPhone or iPads are immune. The number of documented vulnerabilities for iOS has increased significantly in the last couple of years. Co-incidentally, both Android and iOS have experienced malware which have tried to attack the banking applications and mobile wallets in recent times.

Malware such as premium SMS message sending Trojans and Ransomware continue to spread, making them a notable presence in today\'s digital threat landscape. 259 out of the total 574 known variants of the SmsSend family were identified in the latter half of 2014, making it the fastest growing family of mobile malware. SmsSend generates profits for criminals by infecting Android devices with a Trojan that sends SMS messages to premium-rate numbers.
Another Trojan, TROJAN:ANDROID/SVPENG is the culprit for spreading malware via SMS messages. This banking Trojan displays a phishing page when the user launches his or her banking app to phish for account login details. There are some variants that also act as ransomware. This type of ransomware blocks the device and demands payment of a \"fine\" for alleged criminal activity.

Targeting Android platform

The industry statistics suggest that a big pie of the mobile device market is today occupied by Andriod platform. This also means that Android-based devices inevitably attract the attention of cyber criminals who are creating and distributing malicious programs.
Ransomware continues to plague mobile users, with the Koler and Slocker families of ransomware identified as the top threats to Android devices. Since their debut in the first half of 2014, the Koler and Slocker ransom families have grown rapidly as their authors create new variants. These families are now the most prevalent Android ransomware.

On Android, the Koler and Slocker ransom-trojan families have also been busy increasing their count of variants, making them the largest ransomware families on that platform. The extreme difficulty in decrypting affected files without a decryption key, and the various thorny issues involved in paying a ransom (especially if a business is affected), makes ransomware a particularly difficult threat to resolve.

Spreading via SMS messages, Andriod/Svpeng is a type of banking Trojan that displays a phishing page when the user launches a banking app to phish for account login details. Variants also act as ransomware, blocking the device and demanding payment of a \'fine\' for alleged criminal activity. Lockscreen and Scarepackage are the other two ransom-trojans that were reported by the security researchers in the latter half of last year. These Trojans s use \'police-themed\' notifications to scare the user into paying a \'fine\' for supposed illegal activity. Both threats are detected by F-Secure as variants of the Koler or Slocker families.

Another malware that found its way to Android was Cryptoransomware, which can be referred as a class of malware that infects a machine then encrypts targeted files with specific extensions and demands payment before providing the key to decrypt the files. Cryptoransomware found its way to Android OS in 2014 after gaining a reputation as a growing problem for Internet security companies and law enforcement in general. Security experts have also discovered a new Trojan, Simplelocker, which scrambles the files on memory cards in Android devices and demands a ransom to open them. This Trojan targets SD cards inserted into Android tablets and mobile phones, encrypts the files and demands payment in order to decrypt them. For these and other reasons, it is safe to say here that vast majority of mobile cyber threats are targeting Android.

Apple\'s iOS too on the radar

Apple\'s iOS is no more a walled garden, where no malware can penetrate its tough defenses. Although the percentage of malware is comparatively lesser to Android, today, cyber criminals are trying to infiltrate iOS platform as well, as they keep on probing the edges of the iOS security envelope, looking for a way in. CVE-2014-4377 was one such type of exploit being used by the attackers in second half of 2014. A specially-crafted PDF document when opened on devices using unpatched versions of iOS 7.1.x can exploit the CVE-2014-4377 flaw in the system. Here, an attacker would also need to exploit a second flaw to remotely execute code. Wirelurker is another example of Trojan-spy that infects iOS devices that are connected to infected OS X machines via USB. Pirated apps containing Wirelurker are offered on third-party app sites for OS X machines. iOS devices connected via USB to the infected machine have apps downloaded onto them. In a proactive measure, Apple has now blocked Wirelurker-tainted apps in its store.

Remedial Action

Organizations that employ real-time backup and frequently test their devices and environments typically survive a ransomware attack unscathed. For instance, they can simply wipe the infected device and restore the backed-up files. The recommended remediation for recovering from a ransomware infection is to report the incident to the appropriate legal authorities and restore the affected files from a clean, recent backup onto a cleaned system. And while data backups ought to be regular and automatic, rigorous end-to-end encryption ought to be mandatory as well, since it can make most stolen data useless to extortionists. But beyond backups and encryption, security has to be multi layered and requires an encompassing approach, including endpoint security, employee training, system updates, etc. Security should not just include traditional anti-virus, but also, download protection, browser protection, heuristic technologies, firewall and a community sourced file reputation scoring system.