Dumb Russian Malware Is Infecting Android Devices

Pay up! Or don’t. It’s your call, really.

A group of researchers announced this week that they had discovered a piece of malicious malware that threatens to infect Android devices. Known as Xbot, the Trojan can infect devices through at least 22 different apps and “is already capable of multiple malicious behaviors.” Evidence in Xbot’s code suggests that it originates in Russia. At present, it appears to primarily target users in that country and, for some reason, Australia, but the researchers warn that it may spread as its still unknown authors continue to develop it.

Xbot stands out in part because it works through three separate vectors: It primarily serves as ransomware, encrypting files on a user’s device and demanding $100 before allowing access to them again. Attacks of this kind are far from uncommon: Just this week, a Hollywood hospital paid $17,000 to regain control of its computer system, as Josephine Wolff wrote in Slate. In the case of Xbot, however, the final cost may end up higher than it first appears. The researchers who identified the malware note that “since the ransom page comes from a remote server, the attacker can update it to change the payment method and/or the amount of money at any time.”

Wolff notes that it sometimes makes sense to pay digital ransom—like when hundreds of patients’ lives are in your hands. But if Xbot strikes you or someone you love, don’t be too quick to pay up, because the ransomware may not be all that powerful. On Slashdot, one commenter observes that Xbot encodes files “by simply XORing each byte in all files by the fixed integer number 50.” XORing refers to a cryptographic technique that ciphers information by applying a set numerical value to all of it. Since we know that number here, we already have the information that we need to get the files back. And though you might need to tap a computer science–savvy friend to implement it, you could theoretically do so without any additional intervention from the hackers. 

Ultimately, Xbot and its ilk are mostly trying to take advantage of those who simply don’t know any better, as its other features demonstrate. In addition to locking up files, it phishes for banking and credit card information, prompting users to provide it themselves rather than simply stealing it. So the best way to stay safe is to practice good digital hygiene by, just a suggestion, regularly updating your phone and not sending your personal information to a dodgy-sounding Russian Internet address.

Xbot’s final feature, which involves collecting contact information from a device and intercepting SMS messages, is somewhat more worrisome. But this feature too can be easily avoided by simply refraining from giving administrative access to questionable apps in the first place.