Beware! New Android malware steals your money then installs ransomware
It’s a story almost as old as time: malware is wreaking havoc on Android devices again. Usually, Android malware aims to steal sensitive data and passwords in order to gain access to online accounts. Less commonly, it installs ransomware to extort large sums of money from users.
A particularly dangerous malware variant that combines both techniques has now been discovered by security experts at ThreatFabric. Known as RatOn, the Trojan infiltrates an Android phone, accesses data, empties bank accounts, then locks the device to blackmail the owner.
All of this sounds scary enough, but it gets worse: RatOn can act largely autonomously. This means attackers hardly need to take any action once the Trojan lands on a device. It’s able to steal PINs its own, log into accounts, and transfer money until those accounts are empty. Crypto wallets are also a common target.
Once there’s nothing left to steal, ransomware is automatically installed on the device. The ransomware encrypts all data and denies access, allowing the attacker to send blackmail messages to the owner demanding payment in order to restore access. However, it’s unclear whether those affected still have the opportunity to do so at this point, as their accounts have already been emptied.
Table of Contents
Not an isolated case
The researchers expressly warn against this new type of threat from combined attacks by a single malware. RatOn is not an isolated case either, as a similar approach was previously observed in August with a variant of the Hook Trojan for Android devices.
These new variants show that malware attacks are still evolving and becoming more sophisticated and dangerous, and fraudsters are responding to improved security mechanisms at banks. If access to an owner’s accounts can’t be established, the attacker can always fall back on ransomware as a plan B.
How to protect yourself
In the case of RatOn, the Trojan likely lands on Android devices through fake apps. Users are redirected to pages that imitate the Google Play Store, where attackers offer applications disguised as common social media apps like TikTok—except it’s malware.
In the case of the Hook malware, it’s most likely distributed via the GitHub platform. Developers can offer applications there themselves, but they aren’t checked beforehand.
To protect yourself, you should always check whether an app comes from a trustworthy provider. You should also always activate Google Play Protect in the Google Play Store so that apps are scanned for viruses and malware before they’re installed on your device.
Also, avoid clicking on links until you’ve verified they’re trustworthy. Especially avoid links that supposedly lead to free versions of paid apps or promise other unrealistic offers. Learn more about the best antivirus apps for Android devices.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
