Device-Locking Ransomware Moves to Android

UPDATE–Ransomware has been wreaking havoc on desktops for many years now, with attackers demanding that victims pay a fee to unlock the infected system. This kind of malware hasn’t been a huge issue yet on mobile devices, but that’s beginning to change, albeit slowly.

A new piece of mobile malware targeting Android is being sold by the same group responsible for the Reveton ransomware, which has been circulating for more than two years. The goal of all ransomware variants is to extort money from victims in one way or another. In some cases, including Reveton, the attackers use fake warnings from the FBI or other law enforcement agencies telling the victim that he has been found to have visited illegal sites containing child pornography and must pay a fine.

CryptoLocker and similar pieces of ransomware takes this to a different level, encrypting victims’ hard drives with strong encryption and demanding a payment, typically around $300, in order to get access to the private key that will decrypt the drive. The ransomware has spread far and wide in the last year, and scammers often send out links to affiliated domains in phishing emails. When users hit those domains, they could encounter an exploit kit that tries to launch exploits against the victim’s browser.

Now, at least one gang is advertising a piece of ransomware that has the ability to infect Android devices.

Unlike CryptoLocker and its competitors, however, this malware does not encrypt the data on an infected device.

Unlike CryptoLocker and its competitors, however, this malware does not encrypt the data on an infected device. Rather, it locks the device. A security researcher who uses the handle Kafeine found that when victims on Android devices hit a domain using this particular strain of the ransomware, the site redirects users to a porn site that uses social engineering to entice them to download the malicious APK containing the ransomware. The ransomware also can infect desktop machines if victims browse to the malicious domain. Kafeine is a French researcher who closely follows the malware and exploit kit worlds and often publishes analyses of new variants.

“If you land on it with Android then you’ll be redirected to a website that will push the download of the APK to the mobile without interaction. Note : no installation. User has to do an action. So it’s Social Engineering.” Kafeine wrote in an analysis of the malware.

“The locker is kind of effective. You can go on your homescreen but nothing else seems to work. Launching Browser, callings Apps, or ‘list of active task’ will bring the Locker back.”

The APK file the user downloads masquerades as a porn app, but when it’s launched victims see a warning screen saying that they have been accused of viewing or disseminating pornography from their phone. The message says the user could face a jail term of five to 11 years and demands a payment of $300 via MoneyPak.

The version of the kit that’s being advertised by the Reveton gang has variants for victims in more than 30 countries, including the United States, UK, France, Germany, Australia and Spain.

This article was updated on May 7 to clarify that the malware isn’t a version of CryptoLocker. It was further updated on June 5 to explain that the malware does not encrypt infected Android devices, but simply locks them.

Suggested articles