'ScarePakage' Hack Demands $300 From 900K Android Phone Owners

Hundreds of thousands of Android owners have opened their phone over the past month not to find a new text message or missed call, but a message from what appears to be the F.B.I. warning them that their phone has been locked because they’re guilty of viewing child pornography. Known as "ScarePakage," the warning is in fact a randomsware scam that locks users out of their phone until a fee is paid.

The hackers who send the message use various ways of intimidating the Android owner, from saying that their phone has been infected with child porn or that the phone was used to send out phishing emails. Such warnings aren’t always from the FBI, either, with cybercriminals also posing as cybersecurity firms. What each recipient does have in common, though, is they were targeted in a wide-ranging “ransomware” hack that holds phones’ hostage until they pay a ransom fee to the cybercriminals in question.

At least 900,000 Android users have been ensnared by ScarePakage over the last 30 days, Lookout, a California-based mobile security firm told the New York Times. The suspected offenders are the same gang of Eastern European hackers who sent out spam and fake antivirus software to 16 million PC owners around the world in 2012.

“This is, by far, the biggest U.S. targeted threat of ransomware we’ve seen,” Jeremy Linden, a senior security product manager at Lookout, told the Times. “In the past month, a single piece of malware has infected as many devices in the U.S., as a quarter of all families of malware in 2013.”

Reports first surfaced in July that the malicious software had been unleashed. Users would prompted to a visit a dubious website hosting the malware or download an app masquerading as previously-nonexistent form of antivirus software. Unlucky customers would then be locked out of their phone and warned, supposedly by the FBI, that the only way to get out of trouble would be to pay $300.

“ScarePakage is likely created by Russian or other eastern European authors given language cues used in the application that we observed,” Lookout explained in a blog post last month. “Unfortunately, this ransomware is hard to remove if you give this malware device administrator privileges.”