Protect your Mobile, or else – You Will Have to Pay Ransom for the Right to Use it Again!

Over the last couple of months, two major threats to the constantly evolving cybercrime world are becoming more and more prominent. Cybercriminals are seeking new sources of profit, as the old ones become harder to exploit over time. Lately, we have noticed a new developing trend, a procreation that combines the two mentioned below.

The first trend on the rise is the targeting of Android systems. Although the subject is not new on underground platforms, and dedicated rooms for discussing vulnerabilities on Android were already opened a couple of years ago, we can definitely say that a big step forward has been made in recent months in this area.

Malware for Android is frequently seen on underground forums and uploaded to file-sharing platforms. Since the beginning of 2014 alone, we have monitored approximately ten malware tools for infecting Android devices, for example Dendroid, AndroRAT, iDroid (targeting both iOS and Android systems), Stoned Cat, etc. The modus operandi can be different, but the final target is always the same: monetary theft, as opposed to stealing credentials for mobile banking applications, sending premium SMS messages, or some other method. The infection technique also varies. It usually happens when the victim installs a new application that is actually the virus itself, obviously well-disguised as something harmless. Another infection vector is binding a malicious code to a legitimate application. Finally, there are the good old emails and SMS messages containing a link that initiates the download of malware.

Dendroid's Admin Panel
Dendroid’s Admin Panel
IDroid's Admin Panel
IDroid’s Admin Panel

The second trend is the growing number of ransomware viruses that lock the user’s computer and/or encrypt his files, then demand remuneration for restoring the computer to its initial state. The most infamous malware of this kind is Cryptolocker, but there are some more that we wrote about in the past.

If these two methods are profitable, why not combine them and increase the odds of earning more easy money? We recently noticed the sale of two “ransomware for mobile” products on the Russian underground. The first is called Block Android Mobile – offered alongside additional products by the same seller, such as Syslocker and BrowBlock. The seller and his services appeared on one of the closed Russian forums in February 2014, but the mobile ransomware was offered as a new function in April 2014. According to the seller, there are two APIs for this malware – the first redirects traffic to a lending page, where an automatic downloading of a malicious file occurs. The victim then has to run the APK file later. The second API injects the APK file, directly by the cybercriminal, wherever he desires. A deeper analysis of this malware was provided in the Malware don’t need coffee blog, as he came across its files in action.

Another ransomware for mobile is Tor Android Cryptolocker. This was offered for sale for US$5,000 about two weeks ago. Once installed on the mobile device, the malware blocks the screen, thus preventing its deletion. At the same time, it encrypts all the files of a defined format that are found on the SD card and in the phone’s memory (including music, photos, videos, etc.). The victim is asked to pay a certain amount of WebMoney, and then his phone is unblocked. The author was offering only three copies for sale. According to our last check, two were already sold. This probably means that we will soon see this malware in action.

The blocking message sent by Tor Android Cryptolocker
The blocking message sent by Tor Android Cryptolocker

Taking into account the important role that mobile phones play in our lives, this can be a very profitable means of money extortion. Buying a new phone may not always be cheaper than paying hundreds of dollars to get the old one back. And there are also all those pics and videos (of extremely high emotional value) that we do not always backup, although it is widely known that we should. Cyber criminals can be good psychologists sometimes, and they can hurt us in the most painful places.

Ransomware Malware – Not Exclusive to CryptoLocker!

Since its discovery in the wild in September 2013, CryptoLocker has held the title ‘the most damaging Windows ransomware Trojan.’ CryptoLocker appears to spread through fake emails, and once it reaches your device, it encrypts the files on your computer. As soon as it completes its malicious action, a message demanding a ransom of $100 or $300 in return for the decryption is displayed. The relatively large sum demanded, combined with a tight deadline (after which the file is lost forever), makes it appear more aggressive than other similar viruses.


But CryptoLocker’s programmers have not reinvented the wheel. This kind of business can be very profitable, so Russian cyber criminals cannot just pass it up. We heard mention of different kinds of locker malware on Russian forums already in 2005, when no-one had even heard about web currencies, which today is a very convenient way to settle a ransom payment.

Silence WinLocker first appeared on Russian trading platforms in early 2012 and sold for $250. This ransomware demanded a payment of $200 for an alleged violation of the copyright law. This was changed to accusations of visiting porn websites in more updated versions of the locker.


MultiLocker was another ransomware that sold for $899 in November 2012. Many underground forums members complained that it bore too close a resemblance to old versions of SilenceLocker.


Euro WinLocker sold for $1,000 in July 2012, and was marketed as Europe-oriented ransomware. However, sales were soon halted, owing to a financial conflict that eventually banned the seller from the two most important underground forums. He thus lost any chance of continuing to market his products. ULocker was another ransomware that appeared almost simultaneously with Euro WinLocker, and would demand 50 or 100 Euro to unlock the system.

Looking at more modern malware, we have the Winlock + BrowLock (that prevents the opening of new pages), which still sells today, for a percentage of the income.

As a general rule, Russian hackers do not like operating in their own country. Although it may look like a very patriotic act coming from such “tough guys”, the real reason is more likely that they are just afraid of getting caught and punished by the authorities. There are, of course exceptions, for example this “cute” contemporary locker malware, whose ransom demand is displayed in Russian.


Given this state of affairs, we can see that CryptoLocker is not the first ransomware and will surely not be the last.