According to Symantec researcher Joji Hamada, the Android version of the threat is showing some variation from the desktop bug. The classic approach for fake anti-virus is more scareware than ransomware: it intentionally misrepresents the security status of a computer, attempting to convince the user to purchase a full version of the software to remediate non-existing infections. Messages continue to pop up on the desktop until the payment is made or until the malware is removed.
“One interesting variant we have come across, detected by Symantec as Android.Fakedefender, locks up the device just like ransomware,” Hamada said. “Many users will not have the capability to uninstall the malicious app as the malware will attempt to prevent other apps from being launched.”
He added that the threat will also change the settings of the operating system, and in some cases users may not even be able to perform a factory data reset on the device. Instead, they will “be forced to do a hard reset which involves performing specific key combinations and/or connecting the device to a computer in order to perform a reset using software provided by the manufacturer,” Hamada said. “If they are lucky, some users may be able to perform a simple uninstall due to the fact that the app may crash when executed because of compatibility issues.”
Those compatibility issues vary across devices, Hamada said, leading to wide-ranging user experiences.
“We may soon see FakeAV on the Android platform increase to become a serious issue just like it did on computers,” he said. “These threats may be difficult to get rid of once installed, so the key to staying protected against them is preventing them from getting on to your device in the first place.”
Unfortunately, Android malware is spreading beyond propagation via malicious apps. Security firm F-Secure found in a recent study that Android threats spreading via spam and web browsing are increasingly common – requiring ever more consumer vigilance. In the first quarter of 2013, the number of new mobile threat families and variants continued to rise (by 49% over the quarter before). The number of families rose from 100 to 149, and F-Secure said that Android accounted for 136, or 91.3% of these.