Tapping a link on your smartphone to watch a new music video might sound harmless, but it got one 12-year-old girl from Tennessee into trouble last year.
Instead of a video, the preteen -- whose name has not been disclosed because of her age -- had unwittingly installed malicious software that downloaded child pornography, locked her Android phone, and threatened to report the pornography to the FBI if she didn't fork over $500 in ransom. She reported the hacker's extortion demands to Frank Watkins, an investigator with the Coffee County Sheriff's Department.
It's called ransomware, a type of malicious code that leaves its victims feeling personally violated. Some versions destroy your data if you don't pay, while others merely threaten. Some will encrypt your device, scrambling everything it contains until you pay a ransom.
Ransomware can be big business. CryptoLocker, which uses email attachments to infect and encrypt computers, harvested nearly $30 million in about 100 days, according to estimates from Keith Jarvis of Dell's SecureWorks counter-threat division. CryptoLocker's descendant CrytoWall, which has infected more than 1 million computers, continues to mutate and adopt new techniques that make it harder to remove.
While ransomware has been around since 1989, it's gotten worse as criminals target billions of smartphones and tablets used around the world, demanding $100 to $600 (often in bitcoins) to release it.
A new mobile threat report from Lookout, which makes security software for smartphones and has 60 million users worldwide, estimated 4 million US Android users encountered ransomware last year, said Jeremy Linden, senior security product manager for the San Francisco company. That doesn't mean they were all infected, as many could be protected by security apps like Lookout's.
Avast, which says 55 million people use its free mobile security software, reports similar numbers. Last month alone, the company blocked 5,000 ransomware attacks a day -- up from nearly zero only seven months earlier -- according to Jiri Sejtko, director of Avast's virus detection lab.
Having your computer locked out can be traumatic in its own right. Losing access to your smartphone can trigger "abject panic," said Larry Rosen, a psychologist and researcher at California State University, Dominguez Hills, who studies people's reactions to modern technology. "That little box contains everything you ever need on a daily basis. You're carrying around a phone, computer, friends -- your everything in one box," he said.
Small wonder, then, that hackers have trained their attention on mobile extortion. But payer beware. "You could pay a ransom and the malware would still not unlock your phone," said Lookout's Linden.
So far, mobile ransomware is considered to be easier to avoid than its desktop cousin. Experts have two tips for smartphone owners.
First, install an application that will block ransomware. And second, never download applications from outside the official Google Play store or Apple App Store.
And finally, report the crime to the police.
"Don't hesitate about calling," even if the attack installed child pornography on your phone, said Watkins, of the Coffee County Sheriff's Department. "Contact your local authorities. They'll be able to tell that it's ransomware."
Corrected at 3:22 p.m. PST: This story earlier misstated mobile security company Lookout's name. The estimated 4 million Android users in the US who encountered mobile ransomware were not all necessarily infected by it.