Ransomware on mobile devices


We recently mentioned ransomware for computers . However, it is worth remembering that it applies not only to desktop computers, but also to mobile devices, and the number of such programs is increasing.

Today I will discuss the most common type of mobile payment demanding programs. I downloaded the statistics for this post from our security products.

What is mobile ransomware?

Lots of people know what ransomware is, and awareness of this topic continues to grow. The most widespread – and the most annoying – type of such program designed for computers is cryptolocker , a malicious program that encrypts data and offers to restore it after paying a ransom. The second type is a blocker which – as the name suggests – blocks the operation of browsers and operating systems and demands a ransom to restore access to them. Today, computer blockers are somewhat less widespread than their encryptors, mainly because they are not as effective at extorting money.

The threat landscape for mobile devices is quite different: there are hardly any cryptolockers for Android devices because the operating system and applications back up themselves in the cloud. And when users can recover their files, they won’t pay for them, so attackers have little incentive to attack them.

Blockers are much more popular methods of infecting Android devices that impose their interface on each application so that the victim cannot use them. PC owners can break free from them relatively easily – they just need to remove the hard drive, connect it to another computer, and wipe out the blocker files. Unfortunately, the situation on the phone is much more complicated, because the main memory is soldered to the motherboard. This is why blockers hold 99% of the mobile ransomware „market”.

Little big players

In the period 2020-2021, four main actors dominated the scene of ransom- hungry mobile malware:  Svpeng, Pletor , Small and Fusob . Pletor has almost completely stopped its expansion, but it seems its developers released the infamous Acecard Trojan and spent all their resources creating and spreading it. The developers of Svpeng also changed the focus to a banking version of the Trojan. So there are only two large families of mobile ransomware left: Small and Fusob. As a result, in the period 2022-2023, these two Trojans accounted for over 93% of all ransomware targeting mobile devices.

It is worth noting that the Fusob and Small Trojan families have a lot in common. Both threats display fake screens with a false signature allegedly belonging to the police and accuse victims of wrongdoing. Both also inform that if the user does not pay the fine, criminal cases will be opened against him.

Fusob and Small also offer quite peculiar ways to pay the ransom: Fusob suggests paying with iTunes Gift Cards, and Small offers to pay with Kiwi or MoneyPak xpress Packet vouchers. Probably both malware were created by Russian-speaking cybercriminals but using different approaches.

Fusob detects the device language first, and if it is spoken in a post-Soviet republic, the ransomware does nothing. However, if the language is different, information is displayed allegedly from an intelligence agency with a ransom-demand of $ 100- $ 200. The majority of Fusob victims (over 41%) live in Germany, while the United Kingdom and the United States are second and third with 14.5% and 11.4% respectively.

There is also the Small family. Almost 99% of its victims are in the three countries that Fusob avoids: Russia, Kazakhstan and Ukraine. Small ransomware displays a board imitating a government message and contains payment instructions, threats and a request of 700 – 3,500 rubles ($ 10 to $ 50) to unlock the infected device. There is also an English version of Small – it has a different screen lock than the one mentioning the FBI and demands about $ 300.

There are two more versions of Small. One is a cryptolocker that performs the same actions as the first version, and finally encrypts the files on your device’s SD card. The second is a multi-functional Trojan that steals money, retrieves data, and of course blocks the device.

What is it about and what should you expect?

In the past, when mobile malware was not such a big problem, we already sent out alarm signals. And as we predicted, this form of malware is booming, and there is no chance of improvement: the number of attacks on mobile devices has quadrupled since 2014!

The number of ransomware victims also increased – by more than twice, from 2.04% to 4.63%. Last year, the main target of mobile ransomware was the United States: 1 in 10 users who dealt with a malicious program encountered it in mobile form. It was 2 in 10 in Germany and Canada, about 1 in 7 in the United Kingdom, the United States and Kazakhstan, and more than 1 in 10 in Italy and the Netherlands.

We expect mobile malware – particularly ransomware versions – to gain popularity next year. For a more detailed report on ransomware, see securelist.com .

How to protect yourself?

  1. Only install applications from official stores such as Google Play. To make sure that no application can get onto your device from an untrusted source, go to Android settings, select Security and check the Unknown sources box.
  2. Regularly update firmware and installed applications. You can choose to update the application automatically, but the system has to be updated manually – it is best to do this as soon as an update is available (OTA).
  3. Install a strong security product. Even if you have all possible updates and only download your applications from official sources, the risk is not completely taken. Malware may be lurking on Google Play, and it can also spread using exploit kits using as yet unknown vulnerabilities. In order not to fall victim to a mobile scam.