Tencent users beware! There’s a mobile ransomware coming after you

It’s okay to not give away superuser privileges all willy-nilly.

David bisson
David Bisson

Tencent users beware! There's a mobile ransomware coming after you

Customers of Tencent, China’s biggest technology company, need to be on the lookout for ransomware attackers who would love nothing more than to infect their Android devices.

Like other mobile ransomware offensives, this campaign begins when a user downloads a fake copy of a legitimate app that requests superuser rights. If it gets what it wants, the fraudulent app waits for the user to reboot the device. At that point, the user sees a ransom note for an Android ransomware variant known as Android/Ransom.SLocker.fh.

Superuser dialog
One of the fake apps asking for superuser privileges. (Source: Malwarebytes)

This isn’t the first time researchers have come across SLocker. Back in March, security analysts at Check Point spotted the ransomware threat shipped out in the read-only memory (ROM) of 38 Android devices owned by a telecommunications company and a multinational technology company. The ransomware employs AES encryption to encrypt all a device’s files and demand a ransom for the decryption key.

Sign up to our free newsletter.
Security news, advice, and tips.

This newest campaign is a bit different, however.

Nathan Collier, a senior malware intelligence analyst at Malwarebytes, explains how:

“An especially relevant trait of SLocker.fh is its use of Tenpay to send payment to the criminals. Tenpay is an integrated payment platform by Tencent — China’s largest Internet service portals. Thus, it is no surprise that SLocker.fh originates from China.

“In order to pay, users must have a QQ ID to send payment; which is provided.  Since Tencent’s most popular platform is QQ Instant Messenger, the criminals are probably targeting these users the most.”

Users can protect themselves against the growing Android ransomware threat by being careful about what apps they install onto their devices. They should only download apps from Google’s Play Store. Even then, they should read the reviews of an app carefully before they decide to download it onto their device.

If they decide to proceed with installing an app, they should look out for unnecessary requests for superuser rights. If an an app appears to be asking for more privileges than it would need to carry out its functionality, users should under no circumstances install it.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.