The first mobile encryptor Trojan
In the middle of May a unique encryption Trojan that works on Android went on sale on a virus writers’ forum. The asking price – $5,000. A few days later on May 18, we saw the appearance of a new mobile encryptor Trojan in the wild that we detect as Trojan-Ransom.AndroidOS.Pletor.a.
By June 5, we had detected over 2,000 infections in 13 countries, located mainly in the former USSR: Azerbaijan, Belarus, Canada, Georgia, Germany, Greece, Kazakhstan, South Korea, Russia, Singapore, Tajikistan, Ukraine and Uzbekistan. The peak in Trojan-Ransom.AndroidOS.Pletor.a distribution came on May 22 when we recorded over 500 new infections.
At the time of writing, we have managed to identify over 30 modifications of the Trojan that can be broken down into two groups. The first uses the Tor network for communicating with its owners; the second uses more standard HTTP and SMS channels. Also, when the modifications from the second group demand money from the user, they display the victim’s image using the smartphone’s front camera.