Mobile Ransomware Targeting Android and iOS

By James Green ~ June 18th, 2014 4:30 PM MST


Ransomware has become one of the most dangerous new forms of mobile malware. Previously exclusive to the desktop platform, this form of malware was a very successful means for cybercriminals to extort money from victims. Then, almost exactly a year ago, Android.Defender became the first ever ransomware style threat to target Android devices. Until recently mobile ransomware lay somewhat dormant, the only real development being a variant of Android.Defender found in late 2013. But within the last two months there have been four new mobile ransomware threats discovered (three for Android and one for iOS).

All three Android ransomware threats are downloaded as fake Android applications and are capable of locking or encrypting data stored on infected devices. The iOS ransomware is a not an app but a vulnerably in the antitheft feature normally used by iPhone and iPad owners to remotely lock a lost or stolen device. This feature is exploited by cybercriminals to lock the victim’s device and hold it for ransom.

iOS Ransomware

Oleg_PlissThe iOS ransomware hack is novel. Cybercriminals created a phishing website designed to steal login credentials for iCloud accounts. The stolen information was then used to gain unauthorized access to victims’ iCloud account and use the “Find My iPhone” feature and enable “Lost Mode.” Enabling “Lost Mode” allows the cybercriminals to remotely lock the device and display a message to the victim. It was widely reported that victims received a message stating their device had been “hacked by Oleg Pliss” and demanded a ransom between $50-$100 be paid to a designated PayPal account.

Fortunately there is a workaround for this iOS ransomware. Victims who already use a lock screen PIN number to protect their device will be able to immediately unlock this ransomware hack. The default PIN number used when ‘Lost Mode’ is enabled is the same PIN number used for the device lock screen and this cannot be changed by the cybercriminals. Alternately victims who do not use a lock screen PIN number can take their infected device(s) to an Apple store and have the device restored to factory settings. Restoring the device to factory settings will unlock the victim’s device but also result in the data loss, which is why it is important to back up your device regularly.  

Android Ransomware

Mobile malware primarily targets Android for its popularity and open infrastructure, this is why mobile ransomware debuted on the Android platform and has seen greater development. Android malware is most prevalent in Russia and as such Russian Android users are normally the target of new Android malware. However, these forms of ransomware broke the mold and have been observed targeting 35+ countries including the US and UK.

May 2104 marked the first great development in Android ransomware when Cryptolocker, wildly successful PC ransomware, migrated from PC to Android. On the Android platform Cryptolocker (also detected as Koler) locks an infected device under the pretext of viewing “banned pornography (child pornography/zoophillia/rape etc).” This ransom message appears to be from a legitimate sounding government agency (ex: USA Cyber Crime Center) from numerous different countries. The message goes on to say the victim must pay a fine in order to regain access to the device, failure to pay will result in the contents being permanently deleted and a criminal case being brought against the victim. At $300 to unlock the device Cryptolocker has the highest ransom of the three Android threats.


The second most expensive Android ransomware threat is a new version of the Svpeng Trojan which demands a $200 ransom. This Svpeng variant was discovered a month later in June and shares many similarities to the Cryptolocker ransomware. Both threats use the guise of a government agency locking a device for viewing illicit pornography, and both demand payment be made via a system called MoneyPak. Both threaten to publicly embarrass the victim, instead of criminal prosecution Svpeng threatens to send messages to all device contacts informing them of the victim’s illicit pornographic activities.

It is odd that the most capable  Android ransomware is also the threat with the least expensive ransom.Simplocker is the only Android ransomware yet discovered that is actually capable of encrypting files on the victim’s device. Once installed the threat displays a ransom message and begins encrypting certain file types on the SD card. This ransom message is in Russian and also states that illicit pornographic images were detected. The ransom is demanded in Ukranian currency for the amount of 260 UAH, which amounts to about $20 USD. According to the ransom message, failure to pay will result in all encrypted files being lost.

Protect Your Mobile Device

First of all, we would like to urge users NEVER to pay a ransom! There is absolutely no guarantee paying the ransom will unlock your device or decrypt your files. Furthermore paying these cybercriminals encourages further crime, if the crime isn’t profitable they will stop.

For iOS users it is important to protect your iCloud account with a strong password and protect your device with a lock screen PIN. For assistance creating as strong memorable password follow this link. The top two password creating tips are: Never use real words in a password (in any language), and include upper and lower case letters, special characters, and numbers. A lock screen PIN number will help protect against this particular ransomware threat as well as prevent unauthorized access to your smartphone and all of the sensitive information it contains A smartphone lock screen is good personal security.

 For Android users it is important to be skeptical and review all applications before installing anything. Avoid untrustworthy sources and if you have any concerns you should research the application and app developer online. Look for a developer website, customer service number, and social media page and review each to establish credibility.

Users of both iOS and Android devices should regularly back up their data to a computer or cloud storage. If  your device is infected with a ransomware threat we recommend that you turn it off immediately and factory reset the device. 

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA