Android Ransomware First to Encrypt Data on Mobile Devices

Researchers at Kaspersky Lab reported the first strain of Android ransomware that encrypts the contents of a device. The malware communicates either over Tor, or via HTTP and SMS.

A strain of ransomware that encrypts data on Android mobile devices, the first of its kind, has spread to 13 countries since it was first spotted less than a month ago.

Researchers at Kaspersky Lab today disclosed details on Pletor, an expensive Trojan that popped up on an underground forum selling for $5,000. The ransomware, detected as Trojan-Ransom.AndroidOS.Pletor.a, has infected more than 2,000 machines in primarily Russia and the Ukraine, but also other European and Asian countries. The peak of the infections, researcher Roman Unuchek said, came on May 22 when 500 new infections were reported.

The malware is infecting devices used to visit fake pornographic websites; the Trojan is disguised as a media player required to view videos on the sites. It’s also spreading in games and other Android applications, as well as a Russian mobile phone forum, Unuchek said.

“If your smartphone has been infected with [Pletor], we recommend that you do not pay the criminals,” Unuchek said. “All the versions of the Trojans that we have seen contain a key that can be used to decrypt affected files.”

Pletor behaves similarly to other encryption ransomware, such as CryptoLocker, in that it locks files and data on a device until a ransom is paid, otherwise, the criminals promise the data will never be retrieved.

This particular Trojan has been modified more than 30 times.

This particular Trojan, however, has been modified more than 30 times. Unuchek said the malware communicates with the hackers’ servers either over the Tor anonymity network, or over HTTP and SMS. When users’ devices are infected with the SMS or HTTP versions of Pletor, the malware will display an image taken with the smartphone’s front camera.

The victim is then presented with a warning that their device has been locked and encrypted because the user is accused of viewing banned types of pornography. The malware uses AES encryption to encrypt contents of the phone’s memory cards; primarily it targets media files and documents such as .jpg, .bmp, .doc, .mp4 and many others.

“Immediately Trojan-Ransom.AndroidOS.Pletor.a displays the ransom demands,” Unuchek said. “All the modifications of the Trojan that we found displayed a message in Russian and were aimed at users in two countries: Russia and Ukraine.”

The ransom is relatively low; 1,000 to 1,200 rubles, or between $30 and $35. Payment is demanded over digital services such as QIWI VISA WALLET or MoneXy.

Around the same time Pletor surfaced in underground forums, another piece of Android ransomware surfaced. Sold by the same group that developed Reveton for the desktop, this piece of malware locks devices, but does not encrypt their contents. Victims become infected when they use their device to visit a site hosting the malware. They are redirected to a pornographic site where they’re enticed to download a porn app that contains the ransomware.

The migration of ransomware from the desktop to mobile devices is noteworthy authorities and security researchers, who just last week conducted a takedown of the infrastructure hosting the GameOver Zeus botnet, which was used to distribute Cryptolocker ransomware for desktop machines. Within two days, the volume of packets sent by GOZ-infected machines had dropped to almost zero.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.