At present, ransomware is one of the fastest growing cybersecurity threats spreading across all platforms, which includes mobile, as well. Ransomware, as the name suggests, is a malware, which demands money from a victim to "release" a hacked data in exchange. Even though ransomware has been around for so many years, since 2013, it has become a prevalent problem on windows platform when cybercriminals started to use it as a tool to hack the computers. The ransomware infection has been affecting both individuals and businesses. One of the most noticeable trends in ransomware is android malware.

According to the ESET LiveGrid, the android ransomware has grown year on year by more than 50%, with the largest spike in the first half of 2016. Migration of users from PC to mobile is the main reason behind the increase in the rate of attacks. This data clearly shows that even mobile devices are not safe by any means. In fact, different types of Android ransomware have created a lot of chaos and held hundreds of people as its victims. Unfortunately, some of these threats still remain to this day. Hence, it is recommended to follow a good cyber hygiene and stay careful while downloading and installing applications from third-party app stores. Android ransomware has continued to evolve over the past years and the most noteworthy are mentioned below;

5) Police Ransomware

Police ransomware is a type of lock-screen ransomware which has used different themes in the past. The BSOD (blue-screen-of-death) or a windows activation message are some of the examples of this ransomware. Although different types of new lock-screen themes are occasionally spotted, police ransomware is the most recent one, which belongs to Reveton family.

The police ransomware claims that the device has been locked by the legal authorities as an illegal content or activity has been detected in the device. Sometimes, the message has been displayed with some criminal code, but says the device can be restored with a fee. This ransomware often uses the IP based geolocation to customize the message. The police ransomware includes different phases of deployment viz set up the infrastructure to spread the malware, compromise the victim device, and demand for a ransom. It was first spotted in the year 2014 and was mainly targeted against the Russian-speaking android users. According to ESET reports, this ransomware is a variant of Android/Koler or Android/Locker.

4) Charger

The Charger android ransomware was identified in the beginning of 2017. It is a remotely controlled backdoor trojan designed to lock the user device. Camouflaged as an "energy saving" mobile application with the name EnergyRescue, the ransomware dubbed charger was authored to steal user data and to take control over the device in multiple aspects.

Based on the instruction received from Command and Control (C&C) center, it demands a ransom of 0.2 bitcoin to unlock the smartphone. This ransomware is one of the first lock-screen malware that has surpassed the Google Play's security checks. Based on the commands received, this malware can extract text messages, snaps of a victim, control and update itself and activate the administrator rights.

3) Lockerpin

The android Lockerpin ransomware was first discovered in August 2015. This ransomware uses the android PIN screen locking mechanism to lock the device and even changes the PIN set on the device. Unfortunately, if the user is infected by this ransom-locker, the only way to restore is by resetting the PIN and it can be done only if the device was previously rooted or set with an MDN solution. If not, the only option left is a factory reset, which deletes the entire data stored on the phone.

According to the ESET's LiveGrid statistics, USA android users are the most infected, with a percentage share of 72% and only 28% users belong to other countries are infected. This statistics clearly shows that hackers targeted the users of United States to make bigger profits. This ransomware has been spreading dangerously, which is disguised as an application designed to view adult videos. In the recent version, the malware is designed to obtain the Device Administrator rights through covert tap-jacking technique. The system activation window is overlaid with trojan's window, which is camouflaged as an "update patch installation". Just when the user clicks on the innocent looking installation button, they'll be welcomed by a ransomware message requesting to pay $500 for allegedly watching the porn videos.

After a specified time followed by a ransom message, the PIN will be changed by randomly generated four digit number. Besides, this ransomware also uses aggressive self-defense mechanism to make sure it compels the user to pay the ransom. Even if the victim tries to uninstall Device Admin rights for malware, they will get an error because the trojan has already registered the call-back function to reactivate the privileges.

2) Jisut

This strangely named ransomware saw a significant rise in 2016 doubling the number of detections compared to 2015. The Jisut ransomware variant identified in 2017 had a special ability, which demanded ransom using a voice message thereby making it as the first "speaking android ransomware". After infecting the mobile, a female voice speaking in Chinese congratulates the user for being a victim and ask 40 Yuans to unlock the device. This ransomware is most widespread in China and is predicted to be a work of Chinese teenage cybercriminals.

Unlike other ransomware who demands payment via pre-paid cash vouchers and bitcoin, the gang behind Jisut has given their contact information on the Chinese social network QQ and asked the victims to contact the authors to get their files back. If the profile information is considered, the malware authors are the Chinese youths. The first variant of Jisut appeared in 2014 and since from its inception, hundreds of variants are identified, which behave differently or display different ransom messages based on the same code template.

Besides, another variant of Jisut asks the user to click on a button, which says "I am an idiot" for 1000 times to retrieve their files. If the user clicks the button thousand times, nothing will happen and it just resets to zero.

1) Simplocker

Simplocker is one of the extremely widespread ransomware, which usually tricks the user into installing the application by camouflaging itself as a legitimate mobile app. Normally, the camouflage revolves around internet porn, popular games, and flash players. It has been noted that this malware encrypts the images and documents saved with an extension - JPEG, JPG, PNG, BMP, GIF, PDF, DOC, DOCX, TXT, AVI, MKV, 3GP, MP4 with AES Cipher. Unlike other ransomware families, the encryption key of Simplocker was hardcoded.

The ransom message was written either in Russian or in Ukrainian Hryvnias, so we can fairly assume that this ransomware was targeted against Russian and Ukrainian android users. The malware instructs the victims to pay ransom though prepaid money vouchers such as MoneXy or QIWI as it is not easy to trace the hackers when ransom are paid through these means. Besides, the Simplocker also displays the photo of a victim taken through a mobile camera to increase the scareware factor.

Only a month after discovering the first variant of Simplocker, a new version of this ransomware has been identified, which featured significant improvements. The most noticeable change of this version is its language. In the earlier version, the ransom message was displayed in Russian or Ukrainian language, but in the recent version, the message was displayed in English thereby making the victims to believe that their device has been locked by the FBI and NSA for accessing the forbidden porn websites. The ransom demanded was in the range of $200 to $500.

The most significant step in the evolution of this ransomware was the encryption method used to encrypt the victim's files. The recent variations of Simplocker ransomware used unique Cypher keys generated from the Command and Control (C&C) server to encrypt the SD card data, documents, images and videos, and archive files such as ZIP, 7z, and RAR. This marked the end of trojan’s proof-of-concept stage and it was no longer possible to decrypt the data easily.


Ransomware, the fastest-growing cyber threat is the main danger for Android operating system users. Hence, it has become essential to take the most preventive measures to protect ourselves being a victim of malware attacks. The first most significant measures to be undertaken is avoiding unofficial app store and installing a mobile security app and keep it up-to-date. Besides, it is a good idea to have an additional back-up of all important data stored on the device. There are high chances that users who follow a good cyber hygiene are less likely face any request for ransom. Even if they fall victim – in the worst scenarios – having a back-up definitely helps them to avoid such nonsense.

Besides, we never recommend users paying the requested ransom to retrieve their files. Although some established ransomware gangs do release the data, it is not always the case and there will be no assurance that victims get their data back even if they pay the demanded ransom. As far as Android ransomware is concerned, there are several variants where uninstalling the application and the code to decrypt the files was missing altogether, hence paying a ransom wouldn't bring the victims out of misery.

Cyware Publisher