The first mobile encryptor Trojan

In the middle of May a unique encryption Trojan that works on Android went on sale on a virus writers’ forum. The asking price – $5,000. A few days later on May 18, we saw the appearance of a new mobile encryptor Trojan in the wild that we detect as Trojan-Ransom.AndroidOS.Pletor.a.

By June 5, we had detected over 2,000 infections in 13 countries, located mainly in the former USSR: Azerbaijan, Belarus, Canada, Georgia, Germany, Greece, Kazakhstan, South Korea, Russia, Singapore, Tajikistan, Ukraine and Uzbekistan. The peak in Trojan-Ransom.AndroidOS.Pletor.a distribution came on May 22 when we recorded over 500 new infections.

At the time of writing, we have managed to identify over 30 modifications of the Trojan that can be broken down into two groups. The first uses the Tor network for communicating with its owners; the second uses more standard HTTP and SMS channels. Also, when the modifications from the second group demand money from the user, they display the victim’s image using the smartphone’s front camera.

The creators behind Trojan-Ransom.AndroidOS.Pletor.a make use of the same themes (“For viewing banned porno (pedophilia, zoophilia, etc.), your phone has been blocked!”) as the writers of earlier versions of encryptors that targeted Windows.

In all other respects the functionality of the various Trojan-Ransom.AndroidOS.Pletor.a modifications does not differ. After launching the Trojan starts encrypting the contents of a smartphone’s memory cards using the AES encryption algorithm. It’s interested in media files and documents with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, .3gp, .mp4.

Immediately Trojan-Ransom.AndroidOS.Pletor.a displays the ransom demands. All the modifications of the Trojan that we found displayed a message in Russian and were aimed at users in two countries: Russia and Ukraine. The cybercriminals demand 260 hryvnia, or 1000-1200 rubles from their victims. They use QIWI VISA WALLET, MoneXy or standard money transfers between phones to receive payments.

It turns out that Trojan-Ransom.AndroidOS.Pletor.a doesn’t use SMS spam to spread; in most cases it spreads from fake porn sites disguised as a media player. We have also seen cases where it spread as a game or as a handy app for Android. Trojan-Ransom.AndroidOS.Pletor.a also spreads via a major Russia-language mobile phone forum.

If your smartphone has been infected with Trojan-Ransom.AndroidOS.Pletor.a, we recommend that you do not pay the criminals. All the versions of the Trojan that we have seen contain a key that can be used to decrypt affected files. You can also write to us at, attaching the infected files.

The first mobile encryptor Trojan

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox