A new ransomware app has been spotted in the wild, which could easily bypass your mobile anti-virus allowing the app to lock your device. As per reports, the app is currently targeting Russian users, and so far hundreds of Android users have been victimized.

Cyber-security firm Zscaler first spotted the vicious code in the app and revealed that the cybercriminals behind the campaign are using third party stores to spread this malicious app.

The vicious scheme behind this app:

The scheme behind this app involves finding a popular app in the play store, disassembling it and putting the malicious code in the cloned version of the app. After the inclusion of malicious code in the app, the crooks upload the cloned app in third party stores waiting for the victim to fall into the trap.

According to Zscaler’ Gaurav Shinde, “One of the targeted apps is called ‘OK’, and it’s one of the most popular Russian entertainment social network apps. The targeted legitimate app is available on the Google Play Store and has between 50,000,000 – 100,000,000 installs. It is important to note that the OK app available on Google Play Store is NOT malicious.”

Ransomware note left by the cyber criminals / Image Credit: Zscaler

Once the users download the app, it will not immediately attack the users; rather it sits quietly for hours before launching the attack. After a few hours, the app begins to execute the code, and undismissable popups keep appearing until the hacker gets what he wants i.e. administration rights.

After acquiring the admin rights, the app locks the user screen asking for a payment of 500 Russian rubles (around 8-10$). To convince users to pay the ransom, the app threatens to send an SMS to all the contacts saying that the victim has ben caught watching illegal porn videos.

The scary Part:

The worst part about this app is that it lacks the basic decryption functionality which means that the phone can not be unlocked even if the ransom is paid. Furthermore, the experts, believe that the app could have been easily uploaded the Google play store because of the delaying tactic of the malicious code execution.

Precautions:

According to the security researchers, the only way to get rid of the ransomware app is by booting the device in safe Mood, removing the device administrator account and deleting the app.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Jahanzaib Hassan