A worrying trend has been observed on the mobile malware landscape. It would appear that more and more Android banking Trojans come equipped with ransomware-like features. One of the first malware families to showcase such behavior was Svpeng.
In June 2014, researchers from Kaspersky noticed that what was already an established banking malware had received an update which allowed it to lock victims out of their devices and display a fake alert stating that the phone had been used for viewing child pornography. The crooks wanted $200 in exchange for unlocking the phone.
More recent examples are the SmsSpy Trojan analyzed by Dr. Web and the Fanta SDK discovered by TrendMicro. Both started out as credential-stealing malware and both ended up receiving screen-locking capabilities.
In December, Comodo discovered yet another strain of Android malware called Tordow. In addition to stealing login credentials, this particular Trojan can carry out a variety of malicious activities, including encrypting files with about 90 extensions. Scrambling the files on mobile devices is not that common because most phones and tablets are directly connected to the cloud, and the data is backed up automatically. More than likely, Tordow's encryption mechanism is far from flawless. It is there, though.
For some, it all seems a bit baffling. If the crooks have access to the victims' banking credentials, why would they need to lock people out of their devices and blackmail them for more money? And why would they go through the trouble of incorporating additional features into the malware which inevitably increases the likelihood of mistakes? If you think about it, you'll see why.
Banking Trojans' attacks on people who don't use any banking software on their devices are completely pointless. In this case, the ransomware-like behavior is a sort of Plan B for the crooks who don't want to see all the time and effort that went into distributing the malware go to waste. There's another motive.
The hackers might be able to steal the login credentials to your banking application, but if you're quick enough to notice that something's amiss, you'll be able to change the password before it's too late and prevent unauthorized access. That said, if you're distracted by the weird behavior of your phone, you might not be able to react quickly enough. And when the crooks get their hands on your passwords, a timely reaction is essential.
So, the hackers do have a few reasons to start implementing ransomware features in their banking Trojans. You, on the other hand, have a few reasons to be careful.