‘Cat-Loving’ Mobile Ransomware Operates With Control Panel

By on

Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider.

The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this variant the malware’s authors include a picture of a cat:

20160808 ElGato 1

The ransomware constantly requests commands from the control server via HTTP, and the malicious server responds with the attackers’ instructions defined in the control panel. All of this traffic is transmitted without encryption.

20160808 ElGato 2

The commands that this threat can receive and perform are described in the following table:

Command Tag Description
0 Read commands HTTP request to control server for new commands
1 Send SMS message Send message from infected device
2 Remove all SMS Forward and delete all SMS messages
3 Encrypt SD files Encrypt all files on SD card and add extension .enc
4 Encrypt path in SD Encrypt all files on SD card in a specific path with extension .enc
5 Decrypt SD files Decrypt affected files on SD card that contain extension .enc
6 Decrypt path in SD files Decrypt files in a specific path on SD card
7 Lock Lock screen
8 Exit Kill application and exit


Reading commands from the control server:

20160808 ElGato 3

Some interesting features of this ransomware include the ability to encrypt specific files, steal SMS messages while forwarding them to the attacker and avoiding the victim’s message visualization, lock access to the device and the encryption using an AES algorithm with a hardcoded password. Unlike asymmetric encryption, using a hardcoded password makes decryption trivial. Moreover, the application code contains a method to decrypt the affected files; thus this ransomware app can be forced to decrypt files if one invokes the appropriate method.

Decrypting the affected files:

20160808 ElGato 4

The malicious server control panel for the botnet allows several remote commands:

  • Lock/unlock the screen (with a cat image).
  • Send SMS messages to the victim.
  • Encrypt/decrypt SD card memory files (with a hardcoded password).
  • Silently steal SMS messages from the victim’s device.

20160808 ElGato 5

McAfee Labs has informed the owners of the abused servers and has requested they take down the malicious service.

This ransomware variant looks like a demo version used to commercialize malware kits for cybercriminals because the control server interface is not protected and includes in the code words such as MyDificultPassw.

These kinds of threats are usually distributed by attackers who buy exploit kits on black markets and who want to attack a specific company or group of people. The attackers often use phishing campaigns, Trojanized apps, social media networks, or other social engineering techniques.

McAfee Mobile Security detects this Android threat as Android/Ransom.ElGato and alerts mobile users if the malware is present, while protecting them from any data loss. Follow this link for more information about McAfee Mobile Security.

For help in combatting ransomware, follow this link to the site No More Ransom!

To keep up with the latest security threats, follow @McAfee on Twitter and like us on Facebook.


Leave a Comment

Similar articles

Am I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself. But AI is anything but futuristic or ...
Read Blog
As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making ...
Read Blog
Think about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick ...
Read Blog