Android Ransomware SLocker Returns With Hundreds Of Variations

Mobile malware is back in the limelight after a warning that nasty Android ransonware is making an unwelcomed comeback.

The warning came from security specialists Wandera, which said that SLocker is growing again after it identified nearly 400 unique samples.

And to make matters worse, this time the Android ransomware has been toughened to fight off the defensive measures used by security tools.

Nasty Ransomware

In a blog posting Wandera said that the malware had not disappeared after it was first detected a number of years ago.

“Wandera has discovered that SLocker is making a comeback, and this time it is more resilient to the defensive protections provided by security tools,” the firm said. “Our mobile intelligence engine, MI:RIAM, has identified nearly 400 unique samples of SLocker malware in distribution, and that number is rapidly increasing.”

The way the SLocker ransomware works is that once it is on your Android device (usually via after a booby-trapped app is installed), it encrypts images, documents and videos.

It then asks for a ransom to decrypt the files.

“Once the malware is executed, it starts a service that runs in the background of your device without your knowledge or consent,” warned Wandera. “While initially operating stealthily, once the file encryption process is complete, the service will hijack your phone, blocking your access, locking your screen and constantly showing you an intimidating message.”

It said that the message usually threatens to expose or destroy the information on the device, and some SLocker versions accuse the user of having ‘perversions’ order to frighten the victim into compliance.

“The only way to take back full control of your phone is to pay the ransom demanded, or risk destruction or exposure of your personal data,” Wandera said.

And it seems the new ransomware variants have been toughened to avoid detection.

“These variants have been carefully redesigned and repackaged to avoid all known detection techniques,” said Wandera. “They utilise a wide variety of disguises including altered icons, package names, resources and executable files in order to evade signature-based detection.”

But Wandera said that its security software can now see through these guises.

Established Threat

SLocker has been around for a number of years now and is considered to be one of the most prevalent Android ransomware families.

Indeed, SLocker infections have apparently brought into tens of millions of dollars in paid ransoms for the hackers over the years.

In 2015 the Ukrainian ransomware was responsible for 15,000 spam emails that hit Android devices with a FBI porn warning. It demanded $1,500 after showing users an FBI logo and warning them they had broken the law by visiting pornographic websites.

And then Check Point warned in March this year that pre-installed malware including SLocker had been identified on 38 Android devices provided by a large telecom company and a multinational technology firm.

Quiz: Are you a security pro?