Symantec has found a variant of Android ransomware that uses clickjacking tactics to try and trick users into giving the malware device administrator rights.. As well as encrypting files found on the compromised device, if administrator rights are obtained, the malware can then lock the device, change the device PIN, and even delete all user data through a factory reset.
Ransomware Extortion Methods
Ransomware has a number of means to extort victims. In most common cases, once a user has downloaded and installed a fake or “Trojanized” app, the malware then locks the screen, encrypts the data and then displays a fake alert, claiming the user had accessed forbidden materials. In this particular case, the malware will also gather the compromised user’s contact list. Users will then be prompted to pay a ransom, threatened by the loss of the encrypted data and the submission of the user’s browsing history to all their contacts.
Privacy and Browsing History
At first glance, that may not seem like that big of a deal, however, our browsing histories hold a lot of personal information that you may not be aware of. Think about what you last searched for on your phone. Maybe you were looking for another job online, or researching a medical condition you were just diagnosed with. Would you want that kind of information being sent to every single one of your contacts, including your boss, family & friends, and even acquaintances? Searches can seem innocuous while we are doing them in private, however were that history to be made public, it paints too detailed of a picture of you that you may not want distributed to everyone in your life.
What is Clickjacking?
Once the malicious app is installed and run by the user, a fake “Installation” window covers the legitimate app. The user believes they are clicking “Continue” to install necessary related software but, in actuality, they are taking steps in activating the malicious app as a device administrator. After the false delay, a final “Installation is Complete” dialog is presented. This is the step that tricks the user into giving the malware device privileges. The “Installation is Complete” dialog is actually a fake window. Effectively, this means that once the user hits the “Continue” button they are actually pressing the “Activate” button.
How to Stay Protected:
This particular clickjacking technique affects devices running versions of Android older than Android 5.0; however, this amounts to almost 67 percent of Android devices.
The malware is disguised as a porn app called “Porn ‘O’ Mania.” The malicious app is not found on Google Play and may be downloaded from third-party app stores, forums, or torrent sites. Users who have Google Play installed are protected from this app by Verify Apps, even when downloading it outside of Google Play.
You can also follow these best practices for mobile device safety:
- Use a comprehensive security solution such asNorton Mobile Security, which protects against this particular threat as well as others.
- Keep all your software up to date.
- Only install apps from trusted app stores.