‘Cat-Loving’ Mobile Ransomware Operates With Control Panel

By on

Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider.

The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this variant the malware’s authors include a picture of a cat:

20160808 ElGato 1

The ransomware constantly requests commands from the control server via HTTP, and the malicious server responds with the attackers’ instructions defined in the control panel. All of this traffic is transmitted without encryption.

20160808 ElGato 2

The commands that this threat can receive and perform are described in the following table:

Command Tag Description
0 Read commands HTTP request to control server for new commands
1 Send SMS message Send message from infected device
2 Remove all SMS Forward and delete all SMS messages
3 Encrypt SD files Encrypt all files on SD card and add extension .enc
4 Encrypt path in SD Encrypt all files on SD card in a specific path with extension .enc
5 Decrypt SD files Decrypt affected files on SD card that contain extension .enc
6 Decrypt path in SD files Decrypt files in a specific path on SD card
7 Lock Lock screen
8 Exit Kill application and exit


Reading commands from the control server:

20160808 ElGato 3

Some interesting features of this ransomware include the ability to encrypt specific files, steal SMS messages while forwarding them to the attacker and avoiding the victim’s message visualization, lock access to the device and the encryption using an AES algorithm with a hardcoded password. Unlike asymmetric encryption, using a hardcoded password makes decryption trivial. Moreover, the application code contains a method to decrypt the affected files; thus this ransomware app can be forced to decrypt files if one invokes the appropriate method.

Decrypting the affected files:

20160808 ElGato 4

The malicious server control panel for the botnet allows several remote commands:

  • Lock/unlock the screen (with a cat image).
  • Send SMS messages to the victim.
  • Encrypt/decrypt SD card memory files (with a hardcoded password).
  • Silently steal SMS messages from the victim’s device.

20160808 ElGato 5

McAfee Labs has informed the owners of the abused servers and has requested they take down the malicious service.

This ransomware variant looks like a demo version used to commercialize malware kits for cybercriminals because the control server interface is not protected and includes in the code words such as MyDificultPassw.

These kinds of threats are usually distributed by attackers who buy exploit kits on black markets and who want to attack a specific company or group of people. The attackers often use phishing campaigns, Trojanized apps, social media networks, or other social engineering techniques.

McAfee Mobile Security detects this Android threat as Android/Ransom.ElGato and alerts mobile users if the malware is present, while protecting them from any data loss. Follow this link for more information about McAfee Mobile Security.

For help in combatting ransomware, follow this link to the site No More Ransom!

To keep up with the latest security threats, follow @McAfee on Twitter and like us on Facebook.


Leave a Comment

Similar articles

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long ...
Read Blog