The evolution of mobile ransomware

Stefanie Smith 5 Apr 2016

Ransomware is a type of malware that locks a device or encrypts the data on it and then demands a ransom payment to unlock the device or to decrypt the data.

Ransomware has been a hot topic recently. The latest PC ransomware, Locky, made its rounds in late February and multiple hospitals were infected with ransomware, which forced an online shutdown. Not only is ransomware continually attacking PCs, but this nasty form of malware is becoming increasingly more sophisticated and common in the mobile space as well.

What is ransomware?

Ransomware is a type of malware that locks a device or encrypts the data on it and then demands a ransom payment to unlock the device or to decrypt the data.

RaFBI_ransomware_warning.pngnsomware is typically spread using social engineering tactics, meaning that people are tricked into downloading it. In social engineering schemes, victims think they are downloading innocent content or a crucial service, such as antivirus software or a bill they need to pay, when they are really downloading ransomware. Once downloaded, ransomware displays a fake message accusing the user of illegal activity (downloading illegal porn or something similar).  -- The ransomware then encrypts files or locks the device and demands a ransom payment to unencrypt the files or to unlock the device. Once a payment is made, often with Bitcoins via Tor, the ransomware communicates with a C&C (command and control) server, which then sends the victim the decryption key.

Ransomware boomed because it has an immediate effect on the infected user's psychology. Fear and anxiety are two main emotions that criminals can evoke to get their victims to pay ransom,” said Nikolaos Chrysaidos, mobile malware analyst at Avast. “Social engineering plays a significant role in developing fear. Images and text can lead the victim into believing they are being accused of performing illegal activities. Anxiety can be caused by countdown timers that limit the time the victim has to pay the ransom and decrypt the device or files.”

How ransomware transitioned to mobile

Cybercriminals are like teenage girls in that they like to keep up with all the latest trends, which in this case, means ‘going mobile’ with ransomware. Malware used to target PCs is now targeting mobile devices.

Nearly two-third of Americans own a smartphone and according to an Ericsson report, 70% of the world’s population will be using a smartphone by 2020. This increasingly large target pool is ideal for cybercriminals because people are storing larger amounts of sensitive, personal data on their smartphones, which also means they would be more willing to pay a ransom to recover their threatened data.


In 2014, the first variant of Simplocker emerged. Simplocker is the first mobile ransomware to truly encrypt images, documents and videos using Advanced Encryption Standard (AES). Prior to Simplocker, mobile ransomware only claimed to encrypt data as a scare tactic, but it didn’t actually encrypt any files.

Although the first variant of Simplocker was somewhat revolutionary, it used the same encryption for each device it infected (think of this like a master key). Once we tracked down the decryption key, we were able to create an app called Avast Ransomware Removal that could decrypt all devices infected with Simplocker.


A few months later, the second variant of Simplocker appeared. The cybercriminals behind the initial Simplocker realized that they needed a stronger attack method and therefore started generating unique keys for each infected device. This, of course, made it more difficult to decrypt infected devices.  

“Ransomware mobile encryption keys are getting stronger, but they are still about five times less sophisticated than on the PC side,” says Filip Chytry, security researcher at Avast. “Mobile ransomware is now encrypting data using AES 256 bit, which is still impossible to decrypt without the right decryption key.”

In 2015, we saw more than 200,000 of our mobile users encounter ransomware. We have already seen a 5-6% year-to-year growth between the beginning of 2015 and the beginning of 2016, and we don’t expect this growth to slow down anytime soon.

How mobile ransomware is distributed

Since it is difficult to get malware onto the Google Play Store, ransomware distributors heavily rely on social engineering to trick people into downloading malicious content from websites. We have seen many cases where ransomware is disguised as an antivirus app on a site that looks nearly identical to Google Play. First, the user stumbles across an ad while browsing, which claims that the device is infected. When clicked on, the ad opens a page that looks just like the Google Play Store. If you look carefully, the site has a different domain name. The fake site will have a URL like google.xy, not The fake app proceeds to instruct the victim to enable the downloading of apps from sources other than the official Google Play Store.

Ransomware can also be distributed via vulnerabilities like Certifi-gate. If distributed via Certifi-gate, a malicious app does not need to trick the user into giving it access to download the ransomware from outside of the Google Play Store, it can grant itself that access.

What happens once a device is infected

Once ransomware is downloaded, it sends a fingerprint of the app, the IMEI or device’s phone number to a C&C server. Depending on the level of the malware’s sophistication, the C&C server sends back either a generic encryption key, a unique encryption key for the particular device, or there is simply no communication with a C&C server at all. If an encryption key is sent, the device can be locked or files on the device can be encrypted.

What happens when the ransom is paid

In some cases, apps don’t decrypt data even if a ransom is paid. We have also seen cases where the app does decrypt data after the ransom and pretends to delete itself, but really the ransomware remains hidden on the device. When hidden, ransomware can remain dormant for some time, sending pings back to a C&C server. In this case, cybercriminals can  send a command and reactivate the ransomware at any time. Because of this, it’s imperative for infected, ransom-paying individuals to download mobile antivirus software, like Avast Mobile Security, to ensure that the malware is completely removed and is not capable of being reactivated.

Pranksters vs. Cybergangs

The distributors of mobile ransomware can be split into two groups:

Thirty percent of ransomware is spread by amateurs who want to make a bit of pocket change. This group spreads ransomware that either doesn’t actually encrypt infected devices or uses a generic encryption key,” says Filip Chytry. “The other 70% of ransomware is spread by cybercriminals. These cybercriminals distribute ransomware that communicates back to C&C servers that send unique encryption keys for each device they infect. We can tell there are organized networks behind this type of ransomware, because they have servers around the world and rotate between these servers to make it harder for antivirus companies to block their server connections.”

What to do when your phone is infected with ransomware

If your phone becomes infected with ransomware, there is unfortunately little you can do besides pay the ransom. We usually discourage paying ransom because this reinforces the fact that  ransomware is an effective way for cybercriminals to make money and encourages them to continue. If you are infected with ransomware that still allows you to download other apps, try downloading Avast Mobile Security to rid your device of the ransomware.

How to protect yourself from mobile ransomware

As stated above, there is one very important step you need to take to protect all of your devices -- mobile, PC and Mac alike -- from ransomware: Download an antivirus solution!

We are not only saying this because we offer security solutions for Android, PC and Macs, but also because these solutions really can protect your device and the data on it from many different forms of malware.

In addition to downloading an antivirus, make sure that you’re aware of the actions you take while browsing the Internet. Do not open any links or attachments from unknown or suspicious sources.

--> -->