Ransomware expands to Android banking with “Xbot” trojan
And now, a case where obscurity by encryption can be used a weapon.
Ransomware is one of the faster-growing threats to consumers and enterprises — in terms of prominence — and, more often than not, it has culprits getting away with their demands without even having to pore through their victims’ information.
After 10 days off of fussing with paper records, Hollywood Presbyterian Medical Center announced it had coughed up $17,000 to the hackers that essentially locked the hospital out of its own computer system.
Now, we’re learning about the approach of this Russian-originated “Xbot” trojan malware that comes in the form of 22 Android apps mainly targeted towards Russian and Australian users. Several of the apps come from smaller, poorly-monitored marketplaces.
In addition to mimicking official payment registration pages to harvest credit card and banking credentials, the usual SMS and contacts blocking or siphoning, it can also hold your phone at ransom. It does so through the following steps:
- Xbot, through its masked app, will request the user to authorize as a device administrator.
- Once authorized, it will then execute strings of command code that will silence the ringer, set the password to “1811blabla” and then reverts the phone to the lock screen.
- Another command will send the user to a webpage claiming to be from “Cryptolocker” that the user cannot exit from. Xbot uses a simple algorithm to encrypt what’s in external storage.
- The user is then directed to purchase a $100 PayPal My Cash Card and input the card number within five days or else, lose the data.
Some of the security features that recent versions of Android (as far back as 5.0) have can nullify some of Xbot’s dirty work, but the Palo Alto Networks are tracking continued development of Xbot, so all of the factors are changeable and could lead to the spread of the trojan into other areas.
The best preventative steps to deal with ransomware should it get by you? Backup your data regularly, wipe your device as warranted and restore your backup.