WannaLocker/Slocker Android Ransomware

It has been observed that variants of a new ransomware named as “WannaLocker” targeting android devices are spreading. The malware is capable of encrypting the android devices and also have features of Remote Access Trojan named as “AhMyth”, Spyware, and banking Trojan named as “WannaHydra”. It is anticipated that the malware infiltrates the infected device through third party apps sources or malicious links. The malware is capable of performing the following functions:

• Extracts information from target mobile device such as text information, call logs, phone number, photos from front and back camera, contact list, GPS location, microphone audio data, mobile manufacturer, etc.
• It also steals financial information from the targeted device such as credit card information, stored passwords, etc.
• Deploys ransomware package that encrypts the user’s external storage and delivers a ransom note.

The embedded banking Trojan upon successful installation, sends alert to infected mobile users regarding user account issues and shows a fake user interface on the targeted device, urging them to sign on to the fake interface. This leads to credential stealing.

Countermeasures:

• Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only.
• Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
• Prior to downloading / installing apps on android devices (even from Google Play Store), Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
• Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
• In settings, do not enable installation of apps from "Untrusted Sources".
• Exercise caution while visiting trusted/untrusted sites for clicking links.
• Install Android updates and patches as and when available from Android device vendors.
• Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS.
• Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
• Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
• Confirm that the banking app you’re using is the official, verified version.
• If anything looks awry or suddenly unfamiliar, check in with your bank’s customer service team.
• Use two-factor authentication if it’s available.
• Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.
• Refer to security best practices for mobile Phone users:
  http://www.cyberswachhtakendra.gov.in/documents/Mobile_phone_Security.pdf

References:

• https://blog.avast.com/wannalocker-targets-banks-in-brazil
• https://www.darkreading.com/attacks-breaches/new-wannahydra-malware-a-triple-threat-to-android/d/d-id/1335148
• https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/wannalocker-malware-variant/
• https://www.scmagazine.com/home/security-news/ransomware/wannalocker-ransomware-found-combined-with-rat-and-banking-trojan/
• https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/