In the middle of May a unique encryption Trojan that works on Android went on sale on a virus writers’ forum. The asking price – $5,000. A few days later on May 18, we saw the appearance of a new mobile encryptor Trojan in the wild that we detect as Trojan-Ransom.AndroidOS.Pletor.a.
By June 5, we had detected over 2,000 infections in 13 countries, located mainly in the former USSR: Azerbaijan, Belarus, Canada, Georgia, Germany, Greece, Kazakhstan, South Korea, Russia, Singapore, Tajikistan, Ukraine and Uzbekistan. The peak in Trojan-Ransom.AndroidOS.Pletor.a distribution came on May 22 when we recorded over 500 new infections.
At the time of writing, we have managed to identify over 30 modifications of the Trojan that can be broken down into two groups. The first uses the Tor network for communicating with its owners; the second uses more standard HTTP and SMS channels. Also, when the modifications from the second group demand money from the user, they display the victim’s image using the smartphone’s front camera.
The creators behind Trojan-Ransom.AndroidOS.Pletor.a make use of the same themes (“For viewing banned porno (pedophilia, zoophilia, etc.), your phone has been blocked!”) as the writers of earlier versions of encryptors that targeted Windows.
In all other respects the functionality of the various Trojan-Ransom.AndroidOS.Pletor.a modifications does not differ. After launching the Trojan starts encrypting the contents of a smartphone’s memory cards using the AES encryption algorithm. It’s interested in media files and documents with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, .3gp, .mp4.
Immediately Trojan-Ransom.AndroidOS.Pletor.a displays the ransom demands. All the modifications of the Trojan that we found displayed a message in Russian and were aimed at users in two countries: Russia and Ukraine. The cybercriminals demand 260 hryvnia, or 1000-1200 rubles from their victims. They use QIWI VISA WALLET, MoneXy or standard money transfers between phones to receive payments.
It turns out that Trojan-Ransom.AndroidOS.Pletor.a doesn’t use SMS spam to spread; in most cases it spreads from fake porn sites disguised as a media player. We have also seen cases where it spread as a game or as a handy app for Android. Trojan-Ransom.AndroidOS.Pletor.a also spreads via a major Russia-language mobile phone forum.
If your smartphone has been infected with Trojan-Ransom.AndroidOS.Pletor.a, we recommend that you do not pay the criminals. All the versions of the Trojan that we have seen contain a key that can be used to decrypt affected files. You can also write to us at firstname.lastname@example.org, attaching the infected files.