Bitdefender Identifies Malware Posing As Flash Update

May 29, 2015 - Written By David Steele

Bitdefender has identified a new piece of Android malware designed to extract money from customers, by sending an email claiming to be an update to Adobe Flash Player that installed an innocent-enough video player onto the device. However, when the user attempts to launch the video player the device instead displays an error message. Once this is dismissed, the screen switches to a screen claiming to be from the FBI explaining to the user that he or she has broken the law by visiting pornographic websites. There are also screenshots displayed claiming to be the browser history of the device. The message continues, explaining that they have screenshots of the victims’ faces and know of their location. Unfortunately, users cannot navigate away from this screen so essentially the device is disabled. The solution? $500 via Money Pak or PalPal My Cash transfers, which increases to $1,500 should the user have attempted to unlock the device themselves.

Bitdefender’s servers have detected more than 15,000 spam emails including the malicious zipped files, which appear to be originating from servers in the Ukraine. The threat has been identified as Android.Trojan.SLocker.DZ, one of the most prevalent Android ransomware applications. The authors frequently update the application and release new versions: Bitdefender’s systems show several variants from the same malware family bundled up with spam messages from different email addresses ending with .edu, .com, .org and .net. Bitstream state that: “Unfortunately, there is not much users can do if infected with ransomware, even if this particular strain does not encrypt the files on the infected terminal. The device’s home screen button and back functionalities are no longer working, and turning the device on / off doesn’t help either, as the malware runs when the operating system boots.”

There is some hope: in certain circumstances, users can reclaim control of their devices if the ADB (Android Data Bridge) is enabled on the infected Android device. Then, users can remove the offending application or run the device in Safe Boot mode, which will prevent the application from launching and then the application may be manually deleted. However, it is always better to be safe than sorry because prevention is easier and less stressful than curing! Remember: if you receive an email claiming to include a patch to update your device, report the message as spam and delete it from your inbox and ultimately your deleted items.