The Symantec security researchers warn that the use of droppers to infect devices with ransomware has now spread to Android.
This usage of dropper along with malware is a relatively new technique, although it is a very popular for desktop computers. Furthermore, the researchers say, the actors who are using it have also implemented a 2D barcode technique that is meant to help them receive payment from victims, only problem is they did it ineffectively.
Lockdroid ransomware that was spotted about a year ago was designed to encrypt the user files and then perform other nefarious activities as well. It the requests device admin rights and, if the user allows them, it can also lock the device, prevent the user from uninstalling by modifying the user interface (UI), and can even force factory resets, and thus erasing all the user data from the infected device.
The malware designed now to drop the Android.Lockdroid.E ransomware is being distributed via third-party apps, but also through forum posts and text messages. This malware first attempted to drop a version of itself only onto rooted devices, or locks those devices that haven’t been rooted, Symantec discovered.
Once installed on a device, the malicious app checks to see whether the device has been rooted and requests root access permissions if it has. The malware claims that this would allow it to access thousands of adult movies for free, in an effort to convince potential victims of the necessity of these permissions.
Once the user agrees, the malware drops a copy of itself onto the device, by remounting the /system partition, copying the embedded APK file for Android.Lockdroid.E to /system/app/[THREAT NAME].apk, changing the dropped APK file’s permission to executable, and rebooting the device so the threat can run on boot completed as a system application.