Understanding Android Malware Families: ransomware and scareware (Article 3)


Ransomware is malicious software used by individuals to encrypt documents on computers or digital devices. 

How they work

Perpetrators demand a ransom from the owner of a device to access the victim’s documents; once in, criminals install ransomware on their mobile phone or computer. When the owner clicks on a malicious link in an email, text message or website, their document is automatically locked (otherwise known as a crypto locker).

In case you missed it:

Understanding Android Malware Families – the foundations (Article 1)

Understanding Android Malware Families – the trojan: an impersonator in the background (Article 2)

On the other hand, scareware is malicious software that criminals convince users to purchase or download. Bad actors coax victims into believing that they may harm their device if they don’t download or buy malicious software. Scareware is often initiated through pop-up advertising and takes advantage of attackers’ social engineering tactics to coax users into installing fake anti-virus software. 

Here, we’ve analyzed and provided results for several ransomware and scareware families. 

The malicious behaviour of ransomware and scareware families

Common ransomware activities include sending text messages, enabling GPS, browsing the Internet and clicking on compromised pop-up advertisements. Additionally, ransomware families can set a four-digit PIN to lock the smartphone, save images, documents, and videos in both the compromised device’s external and internal storage. In the worst scenario, they can disable the SIM card on the victim’s device. 

Ransomware vs Scareware
Ransomware vs Scareware

All the ransomware families collect sensitive data from mobile phones and interact with hardware settings to fetch which Android operating system version is installed on a device. All, except Fusob and Jisut browse the Internet to download malicious files on compromised devices. Additionally, Congur and SmsSpy family communicate via a command-and-control server.

Looking into scareware families, Avpass is the only family that interacts with anti-virus solutions installed on a device. All the scareware families browse the Internet to display pop-up advertisements and…

Source…