Another one of Cloudmark’s predictions for 2014 has proved to be correct. Last December our CTO Neil Cook wrote:
Malware has also kept up a steady migration to the mobile space with ransomware set to be a logical next step in future. In its simplest form, ransomware could simply copy sensitive information from the phone to blackmail users. Eventually, however, encryption is going to be brought to the table.
Sure enough, encryption based ransomware for the Android has now been reported in the wild. So far this is a limited attack which is only targeted at users in the Ukraine. However, this may be a trial effort, and if it is successful we may expect to see attempts to distribute this trojan to other markets, particularly those that are not covered by Google Play. Apps downloaded from third party libraries are more likely to be malware than those that have been scanned by Google.
Simpler forms of ransomware have already cropped up this year. The typical format is a message stating that the phone has been detected committing some “crime”, such as downloading pornography, and demanding payment of a fine. The Koler.A Android trojan, detected last month, pretended to be an adult video player but when installed claimed that it had encrypted all the files and demanded a $300 fee to unlock them. In fact, this app did not do any encryption and could be fixed by simply removing it.
More recently, variants on the Svpeng Android Trojan have been targeting users in the US. This blocks access to the phone and demands a $200 ransom to unlock it. Though it contains a reference to encryption code, it does not actually do any encryptions, so presumably the criminals behind this one have that planned for a future release.
To guard against threats like these we recommend that users only download apps from trusted sources such ad Google Play, and make sure that all the data on their phone is regularly backed up.