SLocker Android Ransomware Resurfaces in Undetectable Form

Famous for infecting thousands of Android mobile devices in 2016, SLocker is mobile ransomware used to hold employees’ personal and corporate data hostage. Yet many researchers thought its day was over—until a recent resurgence was detected.

SLocker is characterized as the first Android ransomware that uses file encryption. It is also noted for its use of the TOR anonymizing network to communicate with its controller. The 2016 attacks were estimated to have resulted in tens of millions in corporate dollars being paid in ransom to recover confidential data being held by hackers.

However, its significance waned once mobile AV caught up with it, with nearly every platform easily detecting and blocking it. It also didn’t help that the user can remove the malicious app by pressing the Home button and dragging it to the top of the screen to uninstall it. Users as a last resort could also simply perform a factory data reset on the device to remove the app, which erases all local user files.

Recently though, Wandera’s mobile threat intelligence engine identified more than 400 new variations of the SLocker malware targeting business’ corporate mobile device fleets through third-party app stores. All have a very low detection rate.

“These polymorphic new strains of SLocker malware have been redesigned and repackaged to avoid all known detection techniques,” the firm noted. “They use a wide variety of disguises, including altered icons, variations in package names, unique resources and executable files in order to avoid being identified by a standard and static virus signature.”

The new variants, like the old version, work by encrypting images, documents and videos on a mobile device to later ask for a ransom to decrypt files. The malware is executed and runs silently without the knowledge or consent of the user, to ultimately hijack the phone and block user access completely.

“Attacks against the mobile enterprise are becoming increasingly more sophisticated,” said Michael Covington, vice president of product strategy at Wandera. “In an effort to evade detection, attackers have created variations and permutations of their exploits, knowing that security tools struggle to identify each new version.”

Android users are advised to stay away from third-party app stores, while corporate admins might want to consider defensive data science and machine learning technologies that are geared to identifying zero-day threats.

What’s Hot on Infosecurity Magazine?