Early this April, an increase of infection rates by a variant of ransomware known as Android/Ransom.SLocker.fh was seen.
Ransomware targets Tencent users
An especially relevant trait of SLocker.fh is its use of Tenpay to send payment to the criminals. Tenpay is an integrated payment platform by Tencent — China’s largest Internet service portals. Thus, it is no surprise that SLocker.fh originates from China.
In order to pay, users must have a QQ ID to send payment; which is provided. Since Tencent’s most popular platform is QQ Instant Messenger, the criminals are probably targeting these users the most.
Various iterations to fool users
Like many Android ransomware apps, SLocker.fh masquerades as various legitimate apps to fool users into accepting escalated rights. Users who accept the escalated rights will have their device forced to reboot. After reboot, users will have their device locked with overlaying screen with instructions to pay.
Because Android ransomware is on the rise, users should be extra cautious. You can protect yourself by being cautious of giving superuser and/or device administrator rights to any app that asks for it. If the app looks shady like the two example above, this is especially true.
So you’re infected with ransomware
A good anti-malware scanner like Malwarebytes Anti-Malware Mobile can remove the ransomware, but only BEFORE escalated rights are granted. Afterward, it becomes a bit harder. For how to remove such infections, refer to blog post “Difficulty removing Koler Trojan or other ransomware on Android?“
As always, stay safe out there.