Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    Ransomware continues to make waves, especially with the rise of file-encrypting ransomware like CryptoLocker. However, we are seeing yet another alarming development for this malware: it is now targeting mobile devices.

    Reveton Makes a Comeback

    In early May, it was reported that this mobile ransomware was the product of the Reveton gang. Reveton was one of the many cybercrime groups that spread police ransomware, which hit Europe and the U.S. and consequently spread to the other parts of the world.

    It now appears that these cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts  resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware.

    This is detected as ANDROIDOS_LOCKER.A and can be downloaded through a specific URL. The domain contains words like “video” and “porn,” which can give an idea of how users wound up on the site.

    The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI.

    It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content.  The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions.

    These URLs are hosted in two IP addresses located in the U.S. and in the Netherlands. Further analysis reveals that these IP addresses also host other malicious URLs, though not related to this particular malware.

    The Continued Migration to Mobile and Best Practices

    Over the last couple of years, “desktop” malware have continued to make their way to mobile endpoints. We reported last March that we encountered Bitcoin-mining malware that targets Android devices. To avoid these threats, we strongly suggest that you disable your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy.

    This setting can be found under Security in the system settings of Android devices. On-device security solutions (like Trend Micro Mobile Security) provide an additional layer of protection that detects even threats which arrive outside of authorized app stores.

    With additional analysis from Yang Yang and Paul Pajares





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Threat Researcher

      Question: what evidence do you have other than a blog post you linked that this is ACTUALLY the work of the Reveton gang? The leader of the gang and most of his lieutenants were arrested many many many months ago.

      I have seen zero concrete evidence that actually links these Android threats to the original Reveton group.

      Does Trend have any actual evidence linking it to Reveton, or would these threats be better defined as “reveton style malware”?

      • Threat Researcher

        Still waiting for an answer here guys.

        • TrendLabs

          Hi,

          The article by the security researchers that claimed the relation between this ransomware and the Reveton gang is linked above.

          Hope this helps.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice