AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Ransomwhere android12/25/2023 ![]() ![]() Root permissions management, a tool that listens on the system for apps trying to elevate privileges to root (by calling “su”), presents a dialog to the user asking permission on behalf of the app before allowing it to proceed, and malware can abuse this for nefarious purposes. For that, it uses a TYPE_SYSTEM_OVERLAY window that is loaded on top of the device administration activation dialog, successfully tricking users into activating its device administrator rights.Īccording to Symantec, cybercriminals can take advantage of clickjacking techniques to perform other malicious activities as well. To eliminate suspicion, after the user clicks the “Continue” button on the fake window, the malware displays a fake “Unpacking the components” dialog.Īfter waiting for a short time without doing anything, the malware displays a final “Installation is Complete” dialog, which is the step where it gains elevated privileges on the system. To display the fake Package Installation dialog, Lockdroid uses a TYPE_SYSTEM_ERROR window, which is displayed on the highest layer on the screen, thus hiding the call to the device administrator requesting API. The malicious program is not only capable of encrypting files, locking the device, and performing factory resets, but it also prevents users from uninstalling it through the user interface (UI) or the command line interface, Symantec’s research found. After installation, it displays a fake “Package Installation” window that tricks users into activating it as a device administrator, thus enabling it to run its more aggressive extortion. As soon as it gains these rights, the malware can encrypt user files and perform other nefarious operations, the security firm said.Īs Symantec’s Martin Zhang explains in a blog post, the malware poses as an application for viewing adult content and adopts sophisticated social engineering techniques to gain administrator rights. Additionally, we also found a new self-propagation module that allows it to spread by sending SMS messages containing the shortened URL to all contacts on the compromised device.A new piece of Android ransomware has emerged, capable of locking devices, changing PINs, and even fully wiping user data via factory resets, Symantec researchers warn.Ĭalled "Lockdroid" ( ) by Symantec, the new malware was found trick users into providing it with device administrator rights. In case of this new Koler variant, the malicious Android application arrives via a shortened bit.ly URL to a Dropbox location and pretends to be an image file. If the unsuspecting user downloads and installs the package, it will lock the user's screen, displaying a fake FBI warning page (see below), accusing the user of viewing child pornography. Despite this fact, the mobile market is clearly one that ransomware operators would like to tap into and Koler is a step in that direction. It is believed to be the mobile extension of the Reveton ransomware family. Ransomware has been a profitable venture in the PC world with the likes of Crytolocker, but is a relative newcomer on mobile devices, at least in part due to file restrictions in mobile operating systems which limit the ability of apps to access the full file system. Android Koler is a family of ransomware that targets Android users by locking up their mobile devices and demanding a ransom.
0 Comments
Read More
Leave a Reply. |