July 17, 2014 |
Android Ransomware Impersonates FBI Porn Warning |
MALWARELAND—Security firm Lookout is warning about new Android malware targeting the United States that attempts to extort victims using an FBI warning delivered to their locked phones alleging that the device has been used to visit websites containing child pornography or other illegal content. The warnings are fake, of course, but the ability of the malware to compromise the phone is not. The family of malware, called ScarePackage, is particularly malicious because, as explained yesterday by Meghan Kelly for Lookout, it "masquerades as well-known apps, such as Adobe Flash and a number of anti-virus applications, and pretends to scan your phone upon launch. After completing the fake scan it locks your phone. You can’t navigate away and if you try to reboot, the fake FBI message will be the first thing you see when the phone turns on." The ransom demand of $300 is not particularly onerous, and should in fact be a red flag to anyone that something non-governmental is going on, but the sophistication of the scheme, including its ability to fool people into providing it with administrator privileges (something that should be done with only the most trusted applications, and even then...), is what prompted Lookout to characterize the malware as "particularly concerning." Elaborating on how it works, Kelly explains, "The malware does its best to be as intrusive as possible by blocking the victim’s normal device-use with the app. Using a Java TimerTask, which is set to run every 10 milliseconds, the application will kill any other running processes that the user interacts with that are not the malware itself or the phone’s settings application. The malware also uses an Android WakeLock to prevent the device from going to sleep. "The malware makes it difficult to turn the phone off," she adds, "but should you be able to, a boot receiver class resumes ScarePakage’s takeover of your device immediately, shutting down all other processes that the user interacts with." Likely the creation of "Russian or other Eastern European authors," ScarePackage is similar to ColdBrother, another evil piece of code that in addition to locking the phone and attempting to extort money via a threat from the FBI, can take "a photo using the front-facing camera, can answer and immediately drop phone calls, and has unused code that searches for banking applications on the device." Lookout mentions that all of its users are protected from the ScarePackage threat, and further advises people to: * Avoid awarding device administrator to applications unless you’re really sure of what they do. * Only download applications from developers you know and trust. * Download an applications such as Lookout, which can detect these threats before you ever open them.
|