Device-Locking Ransomware Moves to Android

UPDATE–Ransomware has been wreaking havoc on desktops for many years now, with attackers demanding that victims pay a fee to unlock the infected system. This kind of malware hasn’t been a huge issue yet on mobile devices, but that’s beginning to change, albeit slowly.

A new piece of mobile malware targeting Android is being sold by the same group responsible for the Reveton ransomware, which has been circulating for more than two years. The goal of all ransomware variants is to extort money from victims in one way or another. In some cases, including Reveton, the attackers use fake warnings from the FBI or other law enforcement agencies telling the victim that he has been found to have visited illegal sites containing child pornography and must pay a fine.

CryptoLocker and similar pieces of ransomware takes this to a different level, encrypting victims’ hard drives with strong encryption and demanding a payment, typically around $300, in order to get access to the private key that will decrypt the drive. The ransomware has spread far and wide in the last year, and scammers often send out links to affiliated domains in phishing emails. When users hit those domains, they could encounter an exploit kit that tries to launch exploits against the victim’s browser.

Now, at least one gang is advertising a piece of ransomware that has the ability to infect Android devices.

Unlike CryptoLocker and its competitors, however, this malware does not encrypt the data on an infected device.

Unlike CryptoLocker and its competitors, however, this malware does not encrypt the data on an infected device. Rather, it locks the device. A security researcher who uses the handle Kafeine found that when victims on Android devices hit a domain using this particular strain of the ransomware, the site redirects users to a porn site that uses social engineering to entice them to download the malicious APK containing the ransomware. The ransomware also can infect desktop machines if victims browse to the malicious domain. Kafeine is a French researcher who closely follows the malware and exploit kit worlds and often publishes analyses of new variants.

“If you land on it with Android then you’ll be redirected to a website that will push the download of the APK to the mobile without interaction. Note : no installation. User has to do an action. So it’s Social Engineering.” Kafeine wrote in an analysis of the malware.

“The locker is kind of effective. You can go on your homescreen but nothing else seems to work. Launching Browser, callings Apps, or ‘list of active task’ will bring the Locker back.”

The APK file the user downloads masquerades as a porn app, but when it’s launched victims see a warning screen saying that they have been accused of viewing or disseminating pornography from their phone. The message says the user could face a jail term of five to 11 years and demands a payment of $300 via MoneyPak.

The version of the kit that’s being advertised by the Reveton gang has variants for victims in more than 30 countries, including the United States, UK, France, Germany, Australia and Spain.

This article was updated on May 7 to clarify that the malware isn’t a version of CryptoLocker. It was further updated on June 5 to explain that the malware does not encrypt infected Android devices, but simply locks them.

Suggested articles


  • Anon on

    This isn't cryptolocker. This is only traditional ransomware that tries to keep you stuck on a screen. There is no evidence of ENCRYPTION. Which is where the "crypto" in cryptolocker comes from.
  • Mathew on

    More than a little disturbing that a potentially destructive malware piece is doing the rounds on mobile devices. Conventional Anti-Virus has a hard task of keeping Desktop-centric Operating Systems secure, how would we fare on a mobile device with less resources? Are mobile users willing to sacrifice responsiveness or possibly even services of their mobile devices for additional layers of protection against inbound malware via mobile Anti-Malware products and security policies? Should we try to sanitize the traffic before it is sent to a mobile device instead of leaving the security aspect to solely the mobile device?
  • Anonymous on

    Rather misleading to call it Cryptolocker without it doing crypt, this is a bog standard FBI virus for Android. Cryptolocker does irreversible crypto, but the only thing scary about this thing is that anybody might get suckered into running it, let alone paying.
  • hotdog on

    so this will only work if the android user falls for the "social engineer" aspect of it (wanting porn)??
  • cdub on

    You also have to select install apps from unknown sources for it to install. So really a non issue unless you're a fool..
  • Anonymous on

    Heyo I was on porn and I saw a message saying "YOU ARE WATCHING ILLEGAL PORN. A FINE OF $1200 MUST HE PAID. ALL PHONE DATA ENCRYPTED UNTIL FINE IS PAID" I couldn't use the back button so popped out my battery
    • david on

      Hello I was a victim of this today. I was watching porn this program installed itself. (Rooted user) and before mentioned "fool" who had unknown sources checked since a lot of what I have comes from developers not from the store. I beat the virus by plugging my phone into a computer. Going to my device, android, and looking for the folder of the .ask I downloaded and installed. rebooted and turned on airplane mode so that I wouldn't go online. That stopped the pop up of the virus. Before that I was unable to touch my phone without being interrupted in seconds. So that I could not get to my programs so that I could uninstall the said program. After hooking It to my computer and deleting the folder could I make it to my programs and delete it. But sadly I am here to confirm that it does encrypt all files on your device. Pictures. Videos. Text documents. All my files now have the extension .crt. but I was able to identify some files such as pictures and videos. By hooking my phone to my computer and opening up folders. Right clicking and sorting by size. Larger files were video and smaller were pictures. There is an option to rename file extensions on windows. I used that to rename the files back to there original format. No password needed. They are not actually encrypted. Just renamed to appear encrypted. If you can identify and rename the file extension the files will return to normal once again. However there are a lot of files that I couldn't figure out and lost because of the file extension issue. I hope I can help some of you who have been affected get your files back to you. Using my android note 3. Thank you

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.