8 Trends in Android Ransomware according to ESET

Not everyone has the time of day to read an 18-page report on the state of Android ransomware, so that’s why we read it for you and summarized its main findings below.

The report, published by ESET this quarter titled Trends in Android Ransomware, provides a look at how ransomware threats evolved during the past year in the Android ecosystem. As promised, below are the main findings:

  1. In 2016, Android ransomware operators shifted from US targets to the Asian & African markets, after in 2015 they shifted from Eastern European targets to the US. Overall, Android ransomware infections grew 50% compared to 2015.2. There’s been a rising trend of Android ransomware delivered via malicious links embedded in spam email.
    3Apart from a single exception, most Android ransomware discovered in the past year was installed from apps outside the official Google Play Store.
    4. Ransomware writers have begun encrypting their payloads to avoid easy detection, often hiding the ransomware payloads inside the app’s assets folders.

Android ransomware variants are becoming fully-fledged backdoor trojans

5. Besides encrypting files or locking the phone’s screen, Android ransomware has begun supporting other operations such as wiping the device, resetting the lock screen PIN, opening URLs in the phone’s browser, GPS tracking, and the theft of personal files.
6. Most of the times, Android ransomware talks to its C&C server via HTTP. Out of the ordinary cases included ransomware that used Google Cloud Messaging, Baidu Cloud Push, Tor, and XMPP.
7. Most of the time, crooks hid ransomware in applications posing to be adult apps, antivirus apps, or Adobe Flash Player (which was discontinued in 2012).
8. The Jisut Android ransomware saw a significant spike in activity in 2016, doubling its number of detections compared to 2015. This growth was driven by Jisut’s entry on the Asian market, and especially China.

The ESET report also contains short technical descriptions for today’s most prevalent Android ransomware families, such as Android Defender, Simplelocker, Lockerpin, Jisut, Koler and Locker (aka Police ransomware), and Charger. To stay up to date with the progression of ransomware check out our blog https://www.welivesecurity.com/