At the time of discovery, no AV could detect this stealthy ransomware which infected a popular application

Mar 31, 2017 02:03 GMT  ·  By

A new type of Android ransomware was discovered in the wild. What makes this one particularly scary and noteworthy is the fact that no antivirus program has managed to detect it. 

Researchers for Zscaler ThreatLabZ discovered the new ransomware in a popular app called "OK," a Russian entertainment social network apps. The legitimate app that's available in the Google Play Store, with somewhere between 50 and 100 million installs, is perfectly clean and does not contain any malicious code. It is the alternative found on third-party app stores that is dangerous.

The ransomware has a few extra features to make you feel safe. For example, after you've installed the app, the malware doesn't act immediately as such tools often do. Instead, it stays silent for four hours, allowing the phone to operate as it regularly does, and even the app will work like it is supposed to.

Four hours later, the app prompts users to add a device administrator, allowing the app to change the screen unlock password, monitor screen-unlock attempts, lock the screen and set lock-screen password expiration. Of course, this sounds extremely suspicious so users might very well tap "cancel."

Even if this happens, the prompt reappears quickly, preventing the user from taking another action or uninstalling the app. If the user gives in and agrees to give the app admin powers, the ransom note appears on the screen. Attackers demand 500 rubles as payment, which is close to $9.

"We analyzed the sample further to understand whether the malware actually sends a user's data to a server. We didn't find any personal data leak as claimed by the ransomware and were not surprised when we found that the ransomware is NOT capable of unlocking the user's phone," the researchers note.

That means that even if the attacker pays the price, the ransomware will not stop operating and the victim will not be able to regain access to the phone. There is no functionality preset in the malware to confirm whether the user has paid the ransom or not, so it just continues to operate.

Stealthiness helps it dodge AV programs until it's too late

Researchers have concluded that this malware could end up injected into apps on the official Google Play store quite easily. Mostly, that's because antivirus programs can't detect it due to the four-hour stealth tactic.

If you become infected, paying the ransom is useless since there's no way to get the malware to leave you alone. Instead, boot your device into Safe Mode, which disables third-party apps. Then, you have to remove the device admin privilege of the ransomware app, uninstall the app and reboot your device into normal mode. It's best to not install apps from unknown sources in the future, so you might want to go to the security settings area on your phone and de-select unknown sources from the device administration panel.