Cryptolocker, an effective piece of ransomware that has infected hundreds of thousands of PCs, could be moving on to a more enticing target: Android devices.
The mobile version of Cryptolocker uses the same techniques as the PC version of the ransomware, encrypting files and demanding a ransom to be paid or face the possibility of seeing all files destroyed forever.
Cryptolocker came to mainstream attention in the second half of 2012, and was unique among ransomware at the time for asking for payment in bitcoin rather than cash. The ransomware became so widespread it lead to the UK government issuing a warning about a “mass email spamming event” which was trying to exploit the ransomware and targeting tens of millions of UK email addresses.
Now a security researcher named Kafeine uncovered the same ransomware selling on underground forums claiming it can infect and encrypt Android smartphones and tablets.
The new version of CryptoLocker targets Android devices and when victims visit a malicious domain on their smartphone or tablet, it redirects them to a porn website where the criminals use social engineering to trick users into downloading a malicious file.
The file masquerades as a porn app but once opened it locks the phone or tablet and throws up a warning messaging saying police detected the device for spreading pornographic material.
There piece of ransomware is flexible and contains variants for 30 different countries, meaning the warning message you see if you are in the UK will look like it comes from the Metropolitan Police while in the U.S. it could look like it comes from the FBI.
Considering just how many Android smartphones and tablets are currently in use, this could become a serious problem very quickly.
However, a successful infection requires the user to physically download the app and for the app to end up installed would require the user to have changed the default Android settings which only allow apps to be installed which have been downloaded from the official Google Play Store.
The new malware is from the same group who was responsible for the Reveton ransomware which began spreading across Europe in 2012.
Despite the European Cybercrime Centre (EC3) making several arrests relating to the gang behind the operation of Reveton in February of last year, it appears as if the gang is still operating.