Ransomware Gang Targets Android Phones

The Reveton Gang is at it again. This time, though, they’re targeting users of Android phones — typically visitors to porn sites.

The gang that pioneered the idea of locking up a target’s computer and demanding a ransom to unlock it has turned its attention to the rapidly growing mobile market.

Once Reveton mobile infects a phone, it will display a bogus warning from a fractured local law enforcement authority. In the U.S. it’s “Mandiant U.S.A. Cyber Security/FBI Department of Defense/U.S.A. Cyber Crime Center.”

Needless to say, the gang doesn’t know a lot about the U.S. government or law enforcement, but that’s irrelevant to someone whose phone is suddenly bricked until the online extortionists get their payment.

The gang’s tactics haven’t changed since they introduced their malware years ago.

“Just as its Windows-based variant, it performs a geolocation lookup for the device’s IP and displays a customized page using some local law enforcement branding,” explained Bogdan Botezatu, a senior e-threat analyst with Bitdefender.

“In order to get their phones back,” he told TechNewsWorld, users must “pay a $300 fine via untraceable payment mechanisms such as Paysafecard or uKash.”

A phone can acquire the ransomware just by visiting an infected porn site, Botezatu explained. However, some user interaction is needed to install the bad app once it reaches a phone.

Pure Ransomware

Although the malware’s warning screens claims the app encrypts all data on the phone, making the data inaccessible, that claim may be dubious.

“It’s been hard for anyone to find any evidence of that,” David Britton, vice president of industry solutions for 41st Parameter, told TechNewsWorld.

“This is more scareware than anything else. What we find is that when these things are marketed to the world, the claims about what they can do are sometimes more robust than what they actually do,” he said.

“The marketing efforts of the bad guys can be impressive,” added Britton, “but the capability of the actual technology can be less than that.”

Rather than encrypt all the data on the phone as CryptoLocker does on a PC, mobile Reveton is pure ransomware. “It puts a wrapper over all the interfaces and UIs,” JD Sherry, vice president of technology and solutions for Trend Micro, told TechNewsWorld. “So a user can’t do anything because malware has system-level access.”

The malware doesn’t make the effort to obtain the permissions it would need to encrypt data on an Andoid phone, Botezatu explained.

“The cybercriminals wanted to keep it simple,” he said. “This might be the first iteration — a test case, if you will — of a very successful breed of mobile ransomware.”

The arrival of ransomware on the mobile scene is just the beginning of a gathering storm.

“This is going to be massive,” Sherry said. “This will be the year that we see a tremendous amount of malware hitting mobile phones, and I don’t think consumers and organizations are prepared to handle these attacks once they migrate to mobile devices.”

Dropbox Boo-Boo

Dropbox grappled last week with vulnerability in its user file-sharing system. It seems that there are activities performed with the links — typing them into a search engine, for example — that can allow unintended parties to use them.

The problem, discovered by Intralinks, isn’t limited to Dropbox, said Sri Chilukuri, vice president of enterprise product marketing at Intralinks.

Most file-sharing services allow you to share files with others by sending them a link. Whoever clicks on that link — whether it’s who you thought you sent the link to or not — can see the file at the end of the link.

To address that issue, some sharing services allow a user to require authentication by the person who’s supposed to click the link — perhaps requiring the recipient to log into the file-sharing service, for instance, before the link can be executed.

“With Dropbox’s consumer product, there’s no choice at all for authentication,” Chilukuri told TechNewsWorld. That can create some security risks for consumers.

“People have shared links to tax records and market statements — very highly sensitive documents,” Chilukuri said.

In addition to its consumer product, Dropbox has an enterprise product. However, authentication is turned off by default.

“Since those users don’t know about this issue, they send unauthenticated links as well. In fact, many of the files we found when we uncovered these links were business files related to company IP,” Chilukuri pointed out.

“The key message here,” he said, “is that people have to very cautious about using this type of product for sharing sensitive information.”

Breach Diary

  • May 5. Ninth Annual Ponemon Cost of Data Breach Study finds average cost of a data breach increased 15 percent over the last year to US$3.5 million.
  • May 5. Target CEO Gregg Steinhafel announces resignation. On his watch, retailer suffered data breach compromising payment card and personal information of 110 million customers.
  • May 6. Kaspersky Lab reports spam volumes declined by 6.42 points from the fourth quarter of 2013 to the first quarter of this year. However, first quarter volumes compared to the same period in 2013 were about the same, with 66 percent of all email traffic being spam.
  • May 6. Molina Healthcare in New Mexico notifies some 5,000 former members their addresses and possibly Social Security numbers were compromised on post cards mailed by the organization. A year of identity protection services is being offered to anyone affected by the breach.
  • May 7. Lookout Mobile Security releases report on smartphone theft finding most common site for snatching mobiles to be restaurants (16 percent), followed by bar or nightclub (11 percent), work (11 percent), and public transportation (6 percent).
  • May 7. French telecom Orange discloses personal data of some 1.3 million customers stolen by hackers. In February, personal information for 800,000 customers was stolen from the company.
  • May 7. Georgetown, Texas, police retract statement that a man they arrested for credit card fraud was connected to Target data breach in 2013.
  • May 7. Security researcher Yngve Nyster Pettersen reveals that some 2,500 servers free of the Heartbleed bug were infected with it when their administrators installed a buggy upgrade on the machines. He estimates cost of cleaning up error to be $12 million.
  • May 7. House Judiciary Committee approves and sends to House the USA Freedom Act, which scales back U.S. government domestic surveillance programs.
  • May 7. Microsoft reports the average number of Windows computers infected with malware jumped at the end of 2013, to 17 per 1,000 in the fourth quarter from 5.8 per 1,000 in quarter three.
  • May 8. Check Point releases annual security report finding 63 percent of organizations are infected by bots and more than half of organizations (54 percent) have had at least one data loss incident in 2013.
  • May 8. New York-Presbyterian Hospital and Columbia University Medical Center agree to pay U.S. HHS Office for Civil Rights a $4.8 million joint settlement over a 2010 data breach that compromised 6,800 patient records.
  • May 8. Survey by Atomic research and Tripwire finds more than a third (35 percent) of retail and financial institutions need more than two days to discover a data breach of their systems.
  • May 8. URL shortening service Bitly resets all users passwords after discovering compromise of users’ credentials.
  • May 9. South Carolina legislature votes to keep secret report on data breach at state tax department last fall that compromised personal information of some 6.3 million taxpayers, businesses and children.
  • May 8. California Senate approvesd and sends to Assembly bill requiring kill switch in smartphones.
  • May 9. Errata Security estimates that 318,239 servers still remain vulnerable to the Heartbleed bug, nearly a 50 percent drop from the number vulnerable when the flaw was first discovered about a month a ago.
  • May 9. Twitter activates feature that allows users to reset their password using SMS messaging.

Upcoming Security Events

  • May 13. Kansas City SecureWorld Expo. Kansas City Convention City, 301 West 13th Street #100, Kansas City, Mo. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • May 15. Applying Machine Learning to Network Security Monitoring. 2 p.m. ET. Black Hat webcast. Free with registration.
  • May 15. The Future of Privacy and Data Security Regulation. 8 a.m.-5 p.m. ET. George Mason University School of Law, 3301 Fairfax Drive, Arlington, Va. Free with registration.
  • May 17. B-Sides Nashville 2014. Lipscomb University Camps, Nashville, Tenn. Free.
  • May 17. B-Sides New Orleans 2014. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Fee: $10.
  • May 17. B-Sides Cincinnati 2014. Main Street Theater, Tangeman Hall, University of Cincinnati, Cincinnati. Free registration, pizza and beer.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 21. Houston SecureWorld. Stafford Centre, 10505 Cash Road, Stafford, Texas. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 5. Portland SecureWorld. DoubleTree by Hilton, 1000 NE Multnomah, Porland, Ore. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • June 6-7. B-Sides Asheville. Mojo Coworking, Asheville, NC. Fee: NA.
  • June 6-7. B-Sides Cape Town. Dimension Data, 2 Fir St., Cape Town, South Africa. Fee: NA.
  • June 14. B-SidesCT. Quinnipiac University-York Hill Campus, Rocky Top Student Center, 305 Sherman Ave, Hamden, Conn. Fee: NA.
  • June 18. Cyber Security Brainstorm. Newseum, Washington, D.C. Registration: Government, free; through June 17, $495; June 18, $595.
  • June 20-21. Suits and Spooks New York City. Dream Downtown hotel, 355 West 16th St., New York City. Registration: Before May 6, $299; after May 6, $549.
  • June 21. B-Sides Charlotte. Sheraton Charlotte Airport Hotel, 3315 Scot Futrell Dr., Charlotte, NC.
  • Free.

  • June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 27-28. B-Sides Manchester (UK). Reynold Building, Manchester University (M1 7JA). Free.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif. Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • Ukash reminds all mobile, tablet and computer users to heed this three point advice:

    1. Never pay advance fees even if you believe you’re paying a fine

    2. Never use payment schemes that you are not familiar with

    3. Only use Ukash codes on the internet and only at genuine websites, never send them by phone or e-mail.

    More information on why Ukash is the safe to pay online can be found here <;

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels