When Ransomware Goes Mobile

In the past two years, the most significant trend in the malware world was the rise of ransomware. Recently, mobile malware followed the footsteps of PC malware, like it has done many times before, as several security vendors detected a sharp rise in the spread of mobile ransomware. According to ESET, ransomware has grown by over 50% over the past year, and Kaspersky notes a rise of 250% in the first quarter of 2017. Interestingly, both firms concur that most attacks target the USA, which correlates with the general trend of ransomware in PCs as well. To prevent ransomware from affecting our mobile devices, we must understand how it operates on this platform, and what are the unique dangers of mobile ransomware.


Playing in the big league – Mobile ransomware on Google Play

Mobile ransomware is likely to try and infiltrate Google Play, Google’s official app store to achieve wide distribution, which will increase the attackers’ profits accordingly. Even though it is harder for ransomware to bypass security protections due to its unmistakable malicious nature, Check Point researchers have already detected a new ransomware variant, called Charger, which managed to enter the Play store by using several obfuscation techniques. This might be an early bird of a much wider phenomenon to come.


Maximizing the effect – Complete encryption

Mobile ransomware also varies in its operation from its PC cousin. Current mobile ransomware encrypt only some parts of the device and the files stored on it, leaving the rest untouched, or even suffice in blocking the user’s access to the device without encrypting anything at all. This is due to the higher privileges required to encrypt certain parts of the device, which in turn demand more effort from the hackers. However, as mobile ransomware progresses it is safe to assume that the perpetrators will attempt to encrypt all assets on the device, including the SD card which often contains the most valuable data, even if the process entails rooting the device. Once ransomware encrypts the entire device, the user will have no option but paying.


Joining forces – Financial malware unite

While banking malware are becoming less prominent on PCs, their mobile counterparts are still very successful, mainly because they can easily circumvent banking protection mechanisms such as two factor authentication. It is possible that these banking malware will make use of ransomware as part of their operation to prevent the user from mitigating the banking attack. A similar strategy was used by the infamous GameoverZeus banker malware, which used to mix DDoS (Distributed Denial of Service) attacks with banking fraud, effectively blocking the users from stopping the fraud. We have already detected a first sign of collaboration between the two malware types when the BankBot malware adopted an obfuscation method which was first introduced by a ransomware to infiltrate Google Play.


An easy way in – targeted ransomware attacks are mobile

The mobile platform might also provide hackers with an unprotected way to infect sensitive networks with ransomware. Beginning last year, we’ve seen several targeted ransomware attacks aimed at hospitals such as St. John’s Presbyterian hospital, as well as other critical services, which have more pressure to pay the ransom than ordinary users. The perpetrators hand-picked these victims and demanded an extremely high payment in return for the decryption key. Since these organizations are likely to up their security, hackers are bound to search for an unprotected path into their network, which mobile devices too often are. Using one infected mobile device, hackers can compromise and extort an entire organization.


Mobile ransomware is expected to continue to rise in its extent, and develop new and more powerful capabilities aimed at gaining the largest possible profits. Both organizations and mobile users should be aware of this expanding threat, and prepare for it accordingly. Mobile devices, and the accompanying mobile malware are no longer a rare occurrence. You should protect your mobile devices just as you defend any other part of your network, and not leave it vulnerable to painful attacks.