The first ransomware running on Android devices that encrypts files has been discovered – in contrast to earlier discoveries of heretic software also on the Android platform, which prevents access to files but does not encrypt them.
During the last several year, the infamous CryptLocker, which runs on Windows Operating System, has been a prolific source of income for hackers and criminals inside the online world.
During the last weeks there have been reports about several versions of a new ransomware designed for smartphones and tablets running Android operating system. But so far none of those programs were actually found in the wild, until today.
Now, the first ransomware Android software has been discovered, which scans the device memory looking for files and encrypts them, mostly images and media files, then demanding a ransom for their release.
A message appears on the device home screen, written in Russian and demanding payment in Ukraine currency for removing the encryption. The message also says that the device is locked because it has been used for distribution of pedophilia, bestiality and other perversion matters and in order to remove the encryption from the device, the user is required to pay a “fine” of 260 Hryvnia, which is about 20 U.S. dollars.
The payment is performed by using a service called MoneXy that allows anonymous payments over the internet.
It remains unclear exactly how the distribution of the threat works. The are indications that the malware may try to impersonate as a legitimate application containing sexual content.
Further analysis for the malware reveals that it is most likely only a prototype to a more complex ransomware application that is still under design & development. The capabilities still do not even come close the the capabilities of the common Windows ransom software, yet it is capable of encrypting files that could be inaccessible forever without the encryption key.
As always, it is not recommend to pay the ransom in order to not encourage those criminals behind the fraud to continue developing it and secondly there is no guarantee that indeed the files get back to their original state even if the ransom is paid.
Instead, it is recommended to take basic security measures, like installing only official applications for Google’s App Store, avoid clicking on suspicious links on social networks or email messages, install security apps and backup all important information stored on the device.