A new strain of ransomware was recently detected by the McAfee Labs Mobile Malware researchers running on a legitimate cloud application. The malware was found to use a web-based control panel service as well as having some botnet capabilities. It this particular piece of ransomware the authors decided to use a picture of a cat for the locked screen.
The ransomware operates by constantly requesting commands from the control server via HTTP and the attackers respond with their specific instructions defined in the control panel. All this correspondence is done without any encryption.
The commands that this threat can receive and perform include sending messages from the infected device, encrypting/decrypting specific files, like all files on the SD card, deleting SMS messages before the victim could see them or forwarding them straight to the attacker. The attacker is also able to send SMSs to the victim. The malware can also lock/unlock the device`s screen with the above mentioned cat image as well as entirely kill a running application and exit.
Instead of using asymmetric encryption, the malware uses an AES algorithm with a hardcoded password which makes the decryption process trivial. Also, the decryption method is contained in the app itself so basically anyone could force the ransomware to decrypt the files if the right tactic is used.
The owners of the abused servers were notified by McAfee Labs and asked to immediately close down the malicious service.
As it turns out, this piece of ransomware look like a sample used to commercialize malware kits for cyber crooks. What made researchers believe that is the lack of protection of the control server interface and the presence of words like “MyDificultPassw” in the code.
Usually, cybercriminals who purchase exploit kits on the black market are the main distributors of threats like this one. The crooks` targets are either a particular company or a specific group of people and their main techniques include Trojan apps, social media networks or phishing campaigns.
The ransomware is detected as Android/Ransom.ElGato by the McAfee Mobile security service. If the “ElGato” ransomware is detected onto the mobile device McAfee notifies the owner of its presence while protecting their data from being stolen or deleted.