The first mobile encryptor Trojan

In the middle of May a unique encryption Trojan that works on Android went on sale on a virus writers’ forum. The asking price – $5,000. A few days later on May 18, we saw the appearance of a new mobile encryptor Trojan in the wild that we detect as Trojan-Ransom.AndroidOS.Pletor.a.

By June 5, we had detected over 2,000 infections in 13 countries, located mainly in the former USSR: Azerbaijan, Belarus, Canada, Georgia, Germany, Greece, Kazakhstan, South Korea, Russia, Singapore, Tajikistan, Ukraine and Uzbekistan. The peak in Trojan-Ransom.AndroidOS.Pletor.a distribution came on May 22 when we recorded over 500 new infections.

At the time of writing, we have managed to identify over 30 modifications of the Trojan that can be broken down into two groups. The first uses the Tor network for communicating with its owners; the second uses more standard HTTP and SMS channels. Also, when the modifications from the second group demand money from the user, they display the victim’s image using the smartphone’s front camera.

The creators behind Trojan-Ransom.AndroidOS.Pletor.a make use of the same themes (“For viewing banned porno (pedophilia, zoophilia, etc.), your phone has been blocked!”) as the writers of earlier versions of encryptors that targeted Windows.

In all other respects the functionality of the various Trojan-Ransom.AndroidOS.Pletor.a modifications does not differ. After launching the Trojan starts encrypting the contents of a smartphone’s memory cards using the AES encryption algorithm. It’s interested in media files and documents with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, .3gp, .mp4.

Immediately Trojan-Ransom.AndroidOS.Pletor.a displays the ransom demands. All the modifications of the Trojan that we found displayed a message in Russian and were aimed at users in two countries: Russia and Ukraine. The cybercriminals demand 260 hryvnia, or 1000-1200 rubles from their victims. They use QIWI VISA WALLET, MoneXy or standard money transfers between phones to receive payments.

It turns out that Trojan-Ransom.AndroidOS.Pletor.a doesn’t use SMS spam to spread; in most cases it spreads from fake porn sites disguised as a media player. We have also seen cases where it spread as a game or as a handy app for Android. Trojan-Ransom.AndroidOS.Pletor.a also spreads via a major Russia-language mobile phone forum.

If your smartphone has been infected with Trojan-Ransom.AndroidOS.Pletor.a, we recommend that you do not pay the criminals. All the versions of the Trojan that we have seen contain a key that can be used to decrypt affected files. You can also write to us at, attaching the infected files.

The first mobile encryptor Trojan

Your email address will not be published. Required fields are marked *



Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox