A new “FBI” malware is targeting Android users, locking their devices and demanding payment to restore their smartphones. Cybercriminals have sent more than 15,000 spam emails over the past three days to distribute this ransomware. Ransomware is malware that demands a payment to reverse the malicious action of the malware. In this case the ransom payment is to unlock your phone. With other ransomware (as with CryptoLocker and its variants) it might be to decrypt your files that the malware encrypted.
How this malware takes effect
Android.Trojan.SLocker.DZ is one of the most prevalent ransomware families, according to Bitdefender. Multiple versions of this malware have been distributed.
This new SLocker version is installed through what appears to be an Adobe Flash Player update sent by email in a zipped file. However, when the user runs the video player, the user sees an error message. When the user presses “OK” to continue, a warning appearing to be from the FBI appears on the home screen and the user is unable to navigate away. The malware renders the device’s home screen button and back functionalities inoperable. Even turning off the device doesn’t help as the malware runs when the operating system boots.
The fake FBI message tells users they have broken the law by visiting pornographic websites. The message even contains screenshots of so-called browsing history, and it claims to have screenshots of the victims’ faces and know their location.
The ransomware demands a payment of $500 to restore access to the device. If the user tries to unlock the device, the amount increases to $1,500. The victim is instructed to send the money via Money Pak or PayPal My Cash transfer.
Always question before you click to install updates
Flash Player for Android has not been available from the Google Play app store since 2013, and Android has cut support for Flash. If you know this, you’ll be less likely to be tricked by an email instructing you to update Adobe Flash Player. A similar FBI lock ransomware that appeared in July 2014, called Andr/FBILock-A, also masqueraded as a Flash Player app to influence users to install the malware.
What you can do if infected
There are a few circumstances in which Android users can regain control of their devices.
- You may have a few seconds to remove the malicious app by pressing the Home button and dragging the app to the top of the screen to uninstall it.
- If ADB (Android Debug Bridge) is enabled, you might be able to programmatically uninstall the application. Using this command-line tool that developers use to work out bugs, you might be able to start the terminal in Safe Mode to buy enough time to manually uninstall the malware.
- For most users, the best option is to perform a factory data reset to remove the malicious app. Unfortunately, this will also erase all user files that were saved to the device’s main memory, but it will not affect the files that were stored on an external memory card. If your device is backed up (before it was infected), you can restore your settings and files from backup.
Prevention is the best medicine
The standard recommendations for protecting any device from malware also apply to your Android device.
- Never install applications from untrusted sources.
- Use antivirus software on your device and keep it updated.
- Don’t click on links in or open attachments to emails from uncertain sources, and avoid questionable websites.
- Use a spam filter to reduce the number of spam emails that reach your inbox.
- Protect your settings and files by regularly backing up your data in the cloud or on an external drive.
Our team at Big Idea Technology believes that a vital step in keeping our clients’ systems secure is keeping our clients informed about viruses and malware that might affect them. Smartphones are frequently used to access company data. Protecting your mobile devices from malware will not only protect the devices, it will also help to keep your company’s systems secure.