14 DAY TRIAL // Data encrypting malware is attempting to gain a foothold in the mobile device sector as security researchers find and analyze the first Trojan for Android that can hold files hostage for ransom.
Today, Kaspersky Lab presented a report of their analysis of the first encryption Trojan intended for Android devices.
Detected as Trojan-Ransom.AndroidOS.Pletor.a by the Kaspersky product, the threat acts in a similar fashion as its counterpart for Windows: after infecting the system it scans for specific types of files and encrypts them with the AES algorithm; then it displays a message to the user asking for a fee in exchange for the decryption key.
In this particular case, the threat affects images, video files and documents (JPG, PNG, BMP, GIF, PDF, DOC, DOCX, TXT, AVI, MKV, 3GP, MP4).
According to the security firm, back in May the piece of malware went on sale on a forum and the asking price was $5,000 (3,680 EUR). A few days later the threat was detected in the wild.
The spread occurred at a rapid pace as by June 5 the company recorded more than 2,000 infections in 13 countries. Most of the detections occurred in countries that were part of the former Soviet Union but Canada, Germany, Greece, South Korea and Singapore were also on the list.
The development of the ransomware intensified to the point that by now more than 30 variants have been identified, which can be split into two groups: one that communicates with the command and control server through TOR network while the other uses standard HTTP and SMS channels.
The former has also been identified by ESET, who deems it as a proof of concept because of the lower level of sophistication regarding the implementation of the encryption. However, file encryption works just fine.
With the samples from the second group, the ransom message contains a picture of the victim, taken with the phone’s built-in camera.
In both cases, the message is in Russian, while the financial demand is in Ukrainian currency (260 hryvnia – $22/16 EUR). These two facts, along with the region with most infections, lead the researchers into believing that the Trojan targets Russian and Ukrainian citizens.
The prevalent method to distribute the threat is serving it disguised as a media player on fake adult websites. However, there have been recorded instances where it spreads as an Android app.
In any case, researchers advise against paying the ransom because there is no certainty that the criminals will keep their end of the bargain and in order to discourage such practice. Furthermore, Kaspersky researchers inform that all modifications of Trojan-Ransom.AndroidOS.Pletor.a they analyzed contain a key that can unlock the files.
One of the best ways to protect the files in such cases is to create safe copies that can be restored in case of such an event.