Part 2: A Security Expert’s Guide to Ransomware on Android
This week we are exploring Android exploits and remediations as part of our five part series on ransomware in Rethink: Security. Come back next week as we explore exploits and remediations for Apple devices.
Anatomy of the Simplocker Attack
- Installation – The victim visits a malware-compromised or Angler-hosted web server and wants to play a video or run an app. The video or app requires a new codec or Adobe Flash Player update. The victim downloads the malicious software and installs it, requiring device administrator permissions be activated. The mobile device is then infected and the ransomware payload installs itself onto the device.
- Communications – The malware scans the contents of the Secure Digital (SD) card, and establishes a secure communications channel with the command and control (C2) server using the anonymous Tor or I2P proxy networks within the darknet. These networks often evade security researchers, law enforcement, and government agencies making it extremely difficult to shut them down.
- Data Encryption – The symmetric key used to encrypt personal data on an attached SD card is kept hidden within the infected mobile device’s file system so the encryption can persist after reboots.
- Extortion – An official looking message from the FBI, Department of Homeland Security, or other government agency is displayed informing the victim that they are in violation of federal laws based on data found on the device after a scan of their personal files.
- Demand of Payment – A demand-for-payment screen with instructions on the method of payment is displayed. The fine is normally $300 to $500 and commonly paid in Bitcoin. If the ransom payment is made, the symmetric key is provided and used to decrypt the personal data. If the victim is fortunate, they are able to retrieve all their personal files intact.
Android devices are susceptible to this type of malware because of several factors. First is that it has been globally adopted by over 1.4 billion users around the world. Next is the 1300+ original equipment manufacturers (OEM), along with the fragmentation of the Android operating system. Devices running versions from 2.2 to 6.0 means that a large number of these devices never receive a critical security update, thus leaving them vulnerable to malware.
The last factor is the open and permissive mindset of its platforms. Users routinely root their devices and install apps that are unverified by Google. There are now an estimated 1.9 million apps available for download just from the Google Play Store, with potentially a million more that can be downloaded from unknown and many malicious sources.
- The default security configurations on the device enable the Verify Apps settings, specifically Scan device for security threats, and Improve harmful app detection. These settings are the equivalent to a resident anti-malware agent on the device and should remain enabled.
- Within the Settings and Security configuration is Unknown sources. Leave this disabled where only apps from the Google Play Store can be installed. For Samsung SAFE devices, this can be managed by Enterprise Mobility Management (EMM) services. Disable the ability to modify the Settings configuration, or disable the ability to enable Unknown sources.
- Set an 8 number or longer PIN. Ideally, set an 8 or longer alphanumeric password with at least 3 or more complex characters for the lock screen. Enable two factor authentication which can be a biometric fingerprint and a strong password, PIN or one-time password.
- Backup personal data automatically onto a personal cloud storage provider like Google Drive, OneDrive, Box or Dropbox. Make secondary and tertiary copies of backups using two or more of these personal storage providers since some offer free storage. Also backup personal data onto a local hard drive that is encrypted and password-protected.
- Enable an app and data container solution like Android for Work, or Samsung KNOX on the device to encrypt and isolate the work profile data from personal data.
- For BYOD deployments, create a list of disallowed apps on the device. For company-owned devices, create a list of allowed apps that can be installed on the device.
Some EMMs provide a compliance action that can be applied to block access to the corporate network gateway, or quarantine the device removing all managed configurations, and work-related content and apps, and send an alert to the user.
Additionally, create an Enterprise App Store to push curated productivity and line-of-business apps to the device.
- Configure a VPN client on the device to protect sensitive data-in-motion between the mobile device and the VPN server.
- Integrate with an App Reputation and Mobile Threat Prevention service like FireEye, Appthority, Check Point, Nessus, Blue Coat, Veracode, Lookout, Skycure, Zimperium and others for malware protection. Several of these vendors also employ an accompanying agent on the device to communicate with the MTP portal to detect and report mobile malware threats on the mobile device in real time.
- As a last resort, there are anti-malware vendors that provide software to detect and remove ransomware from an infected device. The user can also boot the device into Safe Mode, deactivate the Device Administrator for the malware, and then uninstall it.