First ransomware app targeting Android devices spotted in the wild, Symantec says

The first fake antivirus app intended to victimize Android users has been spotted by Symantec, which says this fake A/V app can also act like ransomware to hold the victim's Android device hostage.

Fake antivirus scams have long been a plague hitting Windows-based PCs to try to fool victims into thinking that there's a virus on the PC that the fake A/V can fix -- typically with some money, of course. Symantec says it's now spotted what it believes to be the first known similar type of ruse aimed at Android users through a fake A/V calling itself Android Defender. Android Defender deliberately misrepresents the status of the Android device and also acts like ransomware to hold the Android device hostage.

[ RELATED:FBI/IC3 says online mug shot 'extortion' a growing problem

MORE:Ransomware leverages victims browser histories for increased credibility]

Unfortunately, the Android Defender fake antivirus app is a program that the victim would have mistakenly installed.

"Once the malicious app has been installed, user experience varies as the app has compatibility issues with various devices," Symantec said on its official blog today. "However, many users will not have the capability to uninstall the malicious app as the malware will attempt to prevent other apps from being launched. The threat will also change the settings of the operating system. In some cases, users may not even be able to perform a factory data reset on the device and will be forced to do a hard rest which involves performing specific key combinations and/or connecting the device to a computer in order to perform a rest using software provided by the manufacturer."

If they are "lucky," some users may be able to perform a simple uninstall due to the fact that the app may crash when executed because of compatibility issues, Symantec says. "The malicious app is quite buggy right now, but it's clear the group is working on it and it's another indicator that what we've seen on the PC that is effective, we're going to see those attacks eventually on mobile devices," according to Symantec.

Symantec adds: "The apps were found on third-party websites. Some came disguised as a version of Skype that would allow you to make free phone calls, and when you installed it took you to the fake antivirus." That version was described in a video posted in the blog, describing how a fake A/V can lock up a device.

It's all just growing evidence that malware writers have begun flocking to the Android platform to carry out their evil deeds -- even if open source Android's own issues with fragmented operating systems from Android device manufacturers don't provide malware writers with a wholly uniform platform for malware execution as they might like. The growing Android malware problem is also providing traditional anti-malware vendors, such as Symantec, with a new market for mobile-device anti-malware protections.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags smartphonesfake antiviruslegalAndroidsoftwarefbianti-malwareransomwarecybercrimeconsumer electronicssymantecsecurity

More about FBIIDGSkypeSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place