Google Making Life Difficult for Ransomware to Thrive on Android

Threatpost_android_Elena Kovakina

At the Kaspersky Lab Security Analyst Summit, Android Security Team malware analyst Elena Kovakina explained Google’s strategy for countering ransomware on Android.

SINT MAARTEN—Google has never been shy about sharing security enhancements and victories in Android. The mobile operating system is tweaked at every iteration to fend off threats posed by potentially harmful apps and attacks against devices.

At the recent Kaspersky Lab Security Analyst Summit, Google threw back on the curtain on how it has curtailed ransomware on Android with a mix of deprecated APIs and rollbacks of certain functionality that had outlived its usefulness to users yet still drew the attention of attackers.

Android security team malware analyst Elena Kovakina said Google tracked 30 Android ransomware families in the wild and collected 50,000 samples. From that set, it studied how the malware behaved, what processes were abused, and adjusted Android accordingly. The aim, Kovakina stressed, is to raise the cost of malware development for attackers.

“Making malware for Android should be hard,” Kovakina said. “This is why when we analyze malware, we look at what it does and how it does it, such as APIs that are abused. Many system improvements are inspired by the type malware that ran on a device.”

Ransomware for Android, or any mobile platform, have been relatively rare. The threat has primarily been confined to Windows desktops, where it’s thrived with a rapid development cycles of new features and capabilities. Ransomware quickly grew from malware that locked up home screens, to a threat that escalated to encrypt data on a local hard drive, files and folders accessible on shared network drives, and network-attached storage where backups might stored. Some outlier ransomware families went to far as to encrypt machines at the BIOS level.

On the mobile side, the most prevalent threats attacked older versions of Android that are no longer supported with security updates by Google. One such threat surfaced a year ago when criminals were exploiting Android 4.x phones with the Towelroot exploit and dropping the Cyber.Police ransomware on compromised devices. The malware would lock up a mobile’s home screen and demanded Apple iTunes gift cards in exchange for the decryption key that would unlock their phone. Other public ransomware attacks against Android also locked home screens.

The really amazing thing about ransomware is that it flies in the face of some principles of Android security,” Kovakina said. “In Android, we have a good idea of what apps should and shouldn’t be doing. Apps cannot interfere with the normal behavior of other apps or the device itself. With ransomware, that’s it’s most notorious feature. Apps, also, cannot damage the device or data. Ransomware does that by encrypting it. Apps should also be able to be uninstalled. Ransomware prevents this.”

Kovanina said Google has primarily countered the evolving ransomware threat on recent Android builds by deprecating certain APIs. One such move came with the deprecation of DeviceAdmin, which was being abused by 70 percent of ransomware to gain elevated privileges. For example, Kovakina said Google was aware of some malicious or potentially harmful apps that would carry out a denial-of-service attack of sorts against the Android user interface. She said the PHA would pop out the Device Admin prompt over and over, seeking admin privileges for the app until the user would give in and grant permissions. In Nougat, she said the Device Admin prompt now includes the option front-and-center for the user to uninstall the app doing this type of behavior.

“We used that over-enthusiastic behavior to give the user a chance to uninstall the app,” she said.

Android O, a developer preview of which was released March 21, includes new system improvements aimed at making Android invulnerable to ransomware, Kovakina said. For those users on older versions—which is most of the Android ecosystem—Kovakina said Google has moved to task its VerifyApps malware scanner with blocking ransomware installations rather than just warning the user of a potentially harmful app.

Suggested articles