Incidents

The first mobile encryptor Trojan

In the middle of May a unique encryption Trojan that works on Android went on sale on a virus writers’ forum. The asking price – $5,000. A few days later on May 18, we saw the appearance of a new mobile encryptor Trojan in the wild that we detect as Trojan-Ransom.AndroidOS.Pletor.a.

By June 5, we had detected over 2,000 infections in 13 countries, located mainly in the former USSR: Azerbaijan, Belarus, Canada, Georgia, Germany, Greece, Kazakhstan, South Korea, Russia, Singapore, Tajikistan, Ukraine and Uzbekistan. The peak in Trojan-Ransom.AndroidOS.Pletor.a distribution came on May 22 when we recorded over 500 new infections.

At the time of writing, we have managed to identify over 30 modifications of the Trojan that can be broken down into two groups. The first uses the Tor network for communicating with its owners; the second uses more standard HTTP and SMS channels. Also, when the modifications from the second group demand money from the user, they display the victim’s image using the smartphone’s front camera.

android_locker_01
The creators behind Trojan-Ransom.AndroidOS.Pletor.a make use of the same themes (“For viewing banned porno (pedophilia, zoophilia, etc.), your phone has been blocked!”) as the writers of earlier versions of encryptors that targeted Windows.

In all other respects the functionality of the various Trojan-Ransom.AndroidOS.Pletor.a modifications does not differ. After launching the Trojan starts encrypting the contents of a smartphone’s memory cards using the AES encryption algorithm. It’s interested in media files and documents with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, .3gp, .mp4.

Immediately Trojan-Ransom.AndroidOS.Pletor.a displays the ransom demands. All the modifications of the Trojan that we found displayed a message in Russian and were aimed at users in two countries: Russia and Ukraine. The cybercriminals demand 260 hryvnia, or 1000-1200 rubles from their victims. They use QIWI VISA WALLET, MoneXy or standard money transfers between phones to receive payments.

It turns out that Trojan-Ransom.AndroidOS.Pletor.a doesn’t use SMS spam to spread; in most cases it spreads from fake porn sites disguised as a media player. We have also seen cases where it spread as a game or as a handy app for Android. Trojan-Ransom.AndroidOS.Pletor.a also spreads via a major Russia-language mobile phone forum.

If your smartphone has been infected with Trojan-Ransom.AndroidOS.Pletor.a, we recommend that you do not pay the criminals. All the versions of the Trojan that we have seen contain a key that can be used to decrypt affected files. You can also write to us at newvirus@kaspersky.com, attaching the infected files.

The first mobile encryptor Trojan

Your email address will not be published. Required fields are marked *

 

Reports

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox