Android ransomware
A new WannaCry lookalike is targeting Android smartphone users in China.Creative Commons

Cybercriminals in China have developed a copycat version of WannaCry ransomware to target Android users in the country. The new ransomware's message screen looks a lot similar to that of WannaCry, making it easier for hackers to scare the victims and trick them into quickly paying the ransom.

The ransomware, dubbed "WannaLocker" by Avast, has so far targeted only Chinese Android users by encrypting files on the infected device's external storage. The newly detected mobile ransomware has been spreading via Chinese gaming forums by disguising as a plugin for a popular Chinese mobile game called King of Glory.

After getting into a device, the WannaLocker ransomware hides its app icon from the app drawer and changes the main wallpaper on the infected device to an anime image. After that, it starts encrypting files on the device's external storage.

Sloppy handling of ransom payments

To release the encrypted data, the WannaCry lookalike demands a ransom of 40 yuan (about $6 or Rs. 380), which is significantly lower than what other mobile ransomware had demanded in the past. The fact that the crooks demanded the ransom in regular currency using Chinese payment methods like QQ, Alipay and WeChat suggests it could be a work of an amateur hacker or group of hackers.

Unlike cryptocurrencies like Bitcoin, the money demanded by WannaLocker creators can easily be traced. And for Chinese authorities, who are known for having deeper access to data from technology companies, it could just be a matter of a few minutes to find out who is receiving the ransom.

WannaLocker ransomware
WannaLocker ransom note.Avast

Solid encryption technique

Except for the sloppy method of handling ransom payments, the WannaLocker ransomware impresses otherwise with its "solid" encryption code. Its ability to actually encrypt files is also remarkable, especially when most Android ransomware tools still play around the screen-locker level, according to Bleeping Computer.

The ransomware, which was first reported by Chinese security company, Qihoo 360, uses Advanced Encryption Standard (AES) encryption to lock files under 10KB in size. It doesn't encrypt files whose names start with a dot, or files located in folders that include "android", "com", "DCIM", "download", or "miad" in their file path.

Here's a security advice from Avast:

To protect your phone and valuable photos, videos, contacts stored on it from ransomware, make sure you frequently backup your data and install antivirus on all of your devices.

Last week, online security watchdog Check Point said it had detected a malicious malware called Fireball, affecting more than 250 million computers across the world, including 25.3 million infections in India alone. Fireball was said to be created by Chinese ad corporation Rafotech to manipulate users' browsers to get false clicks and promotion for its clients online.