Emerging Threats

Variant of Android ransomware uses shady tactics to trick users into giving away administrator rights

Authored by a Symantec employee


Symantec has found a variant of Android ransomware that uses clickjacking tactics to try and trick users into giving the malware device administrator rights.. As well as encrypting files found on the compromised device, if administrator rights are obtained, the malware can then lock the device, change the device PIN, and even delete all user data through a factory reset.

Ransomware extortion methods

Ransomware has a number of means to extort victims. In most common cases, once a user has downloaded and installed a fake or “Trojanized” app, the malware then locks the screen, encrypts the data and then displays a fake alert, claiming the user had accessed forbidden materials. In this particular case, the malware will also gather the compromised user’s contact list. Users will then be prompted to pay a ransom, threatened by the loss of the encrypted data and the submission of the user’s browsing history to all their contacts.

Privacy and browsing history

At first glance, that may not seem like that big of a deal, however, our browsing histories hold a lot of personal information that you may not be aware of. Think about what you last searched for on your phone. Maybe you were looking for another job online, or researching a medical condition you were just diagnosed with. Would you want that kind of information being sent to every single one of your contacts, including your boss, family & friends, and even acquaintances?  Searches can seem innocuous while we are doing them in private, however were that history to be made public, it paints too detailed of a picture of you that you may not want distributed to everyone in your life.

What is Clickjacking?

Once the malicious app is installed and run by the user, a fake “Installation” window covers the legitimate app. The user believes they are clicking “Continue” to install necessary related software but, in actuality, they are taking steps in activating the malicious app as a device administrator. After the false delay, a final “Installation is Complete” dialog is presented. This is the step that tricks the user into giving the malware device privileges. The “Installation is Complete” dialog is actually a fake window. Effectively, this means that once the user hits the “Continue” button they are actually pressing the “Activate” button.

How to stay protected:

This particular clickjacking technique affects devices running versions of Android older than Android 5.0; however, this amounts to almost 67 percent of Android devices.

The malware is disguised as a porn app called “Porn ‘O’ Mania.” The malicious app is not found on Google Play and may be downloaded from third-party app stores, forums, or torrent sites. Users who have Google Play installed are protected from this app by Verify Apps, even when downloading it outside of Google Play.

You can also follow these best practices for mobile device safety:

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.