Remember when we told you that the CryptoLocker ransomware was bad news? Well, a new variant of ransomware targeting users on Android is – at the very least – associating itself with CryptoLocker, which is known for encrypting critical computer files and demanding ransom to decrypt them. This development is unsurprising, considering Android’s market share and the broad increases in malware samples targeting Android devices.
Ransomware refers to a class of malware that locks down an infected machine and demands some sort of payment to unlock it. In some cases, the malware merely renders a computer unusable. In others – like the case of CryptoLocker – the ransomware encrypts important files on the infected machine and demands payment for the private key that would decrypt those files. CryptoLocker is fairly honest with its victims about what its intentions are, whereas many varieties of ransomware present their victims with warnings purporting to come from law enforcement. These warnings generally say that some sort of illegal content has been found on the victim’s machine and that a fine must be paid in order to unlock the computer.
In this case, a group of criminals responsible for a different variety of ransomware – known as Reveton – is advertising a CryptoLocker-like piece of malware capable of infecting Android mobile devices.
The extent to which this piece of ransomware relates to the notorious, desktop targeting CryptoLocker is unclear, but whoever made it is clearly playing off the success of the old CryptoLocker as some sort of criminal marketing scam.
A well-known security researcher who operates under than handle ‘Kafeine’ uncovered this new strain and wrote about it on his blog Malware don’t need Coffee. He found that, when victims on Android devices connect to a domain infected with this strain of malware, they are redirected to a pornographic site that deploys a bit of social engineering in order to trick users into an application file containing the malware.
Herein lies the good news: you would actually have to install this malware yourself in order to become infected, which is why we recommend only installing applications from the legitimate Google Play store.
“The locker is kind of effective,” Kafeine writes in an explanation of the malware. “You can go on your homescreen but nothing else seems to work. Launching Browser, callings Apps, or ‘list of active task’ will bring the Locker back.”
The application file that a user would need to download in order to become infected with this masquerades as a porn app. If a user launches that app, it displays a warning screen notifying users that they have been accused of viewing or disseminating pornography on their phone.
The message also informs the user that he or she could potentially face a 5-to-11-year jail sentence, unless they pay a $300 fine via MoneyPak.
The version of the kit that’s being advertised by the Reveton gang has variants for victims in more than 30 countries, including the United States, UK, France, Germany, Australia and Spain.
The extent to which this piece of ransomware relates to the notorious, desktop targeting CryptoLocker is unclear, but whoever made it is clearly playing off the success of the old CryptoLocker as some sort of criminal marketing scam. This is interesting in and of itself, because it demonstrates the ways in which cybercriminals replicate legitimate business practices to maximize profit, though this is a story for a different day.