Android Ransomwares – A True Threat or Bluffing?

What is a Ransomware?

When talking about the cybercrime industry, “business model” is often more important than technology itself. Ransomware is a kind of malware that restricts access to users’ system or data, and blackmails the victim for money to get the restriction removed. One of the most well-known(and profitable) ransomware on PC was Cryptolocker. Emerged in Eastern Europe and grown internationally at the end of 2013, Cryptolocker could encrypt the victim’s hard drive, and ask for 400 USD or equivalent value of Euro/BTC for the private key to decrypt. ZDNet once traced the four Bitcoin wallets used for receiving ransom, it shows a income of 41,928 BTC between October 15 and December 18, worth US$27 million at that time.[1]


Ransomwares on Android

While initially popular on PC, the ransomware scams has begun to cross-platform to Android. In this article, we will discuss 2 Android ransomwares our platform intercepted. The “Fakedefender” and “BaDoink”. Comparing to their PC version. Both technical standard and threat level is significantly lower, and mostly rely on social engineering for money scam.

Screen Shot 2014-05-19 at 10.15.10 PM

  • Name: Fakedefender (Trojan.FakeAV.D)
  • Package: com.avastmenow
  • MD5: E790C4295B8ADB23D090BAE5D6EB786A

Fakedefender is a very simple app, which only contains basic UI, and technically harmless to your phone. It pretended to be a pornography app, and an “antivirus” window (disguised as Avast) will suddenly pop up. Afterwards the following screen will be displayed, telling you that your phone has been locked and you need to pay $300 via MoneyPak to get it “unlocked”.

Screen Shot 2014-05-19 at 10.15.30 PM

  • Name: BaDoink (Trojan.Koler.A)
  • Package:
  • MD5: FB14553DE1F41E3FCDC8F68FD9EED831 / 67bde6039310b4bb9ccd9fcf2a721a45

Have you ever watched child porn? FBI is coming for you! The Trojan.Koler.A blackmails the user in a more professional way: It shows your IP and location, threats the you to be put in prison for 5-11 years due to downloading child porn – unless you pay a $300 fine. Moreover, it will keeps poping up the warning screen every minute, and hook the receivers to pop the warning screen every time you unlock the phone.


Threat or Bluffing?

Strictly speaking, those 2 examples are not “ransomware”, but scam apps. Because they cannot deal actual damage to the user’s data or phone. They scam money purely by social engineering. This is not only due to the malware developer’s technical skills, but also the design of Android. On Windows, every application would have full access of the entire storage by default, including the user’s personal data and system files. However, the Android apps’ permission is much more restricted. It’s storage access is limited to the app’s folder by default.

Let’s think from the attacker’s perspective: Is it possible to make a Android ransomware like PC Cryptolocker? The answer is yes. It is still doable for an Android developer to make an ransomware that can actually damage your phone or data to force you pay ransom.

Firstly, every app could access the SD card by applying the permission android.permission.WRITE_EXTERNAL_STORAGE. The attacker could write an app to encrypt the victim’s SD card, which may contain important data, and blackmail the user just like Cryptolocker does.

Second, there is an Android feature that can grant developer a higher privilege – the Device Admin APIs. It’s a powerful tool used by enterprises applications, which could change the phone’s passcode, encrypt the storage and even wipe out all data from the phone. To enable the device admin APIs, all a malware developer needs to do is to try attracting user to click “allow” on the permission screen.


Think about it, most users don’t know what is device admin, what can it do and how to disable it. Some users are getting used to click “allow” on all permission screens, especially when the ransomware is disguised into another trusted app. After the user clicked “allow”, the question would become: would you pay a few hundred bucks to save your phone data from being wiped out (or the passcode to re-access your phone)?

Third, for the rooted phones, the ransomware would have privilege to deal enough damage. Also, the ransomware might exploit vulnerabilities like “master key vulnerability” to escalate its privilege to a system app.

In conclusion, although the existing Android “ranspmwares” can be rather called a bluffing, the possibility of making a real “Android Cryptolocker” still exists, despite of the Android’s sandbox architecture. Trustlook Antivirus can now perfectly detect the ransomwares mentioned in this article.


[1] CryptoLocker’s crimewave: A trail of millions in laundered Bitcoin

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s