Android apps removed from Play Store for hosting adware
Malware which locks down your computer, demanding a ransom to release your files will soon be targeting Android smartphones and tablets. Reuters

A pernicious piece of malware known as Cryptolocker which has infected hundreds of thousands of PCs could soon be targeting the more than one billion Android smartphones and tablets as a version of the ransomware goes on sale in underground web forums.

The mobile version of Cryptolocker uses the same techniques as the PC version of the ransomware, encrypting all your files and demanding a ransom to be paid or face the possibility of seeing all your files destroyed forever.

What is Ransomware?

Ransomware is a piece of malware which locks down your computer's hard drive, encrypts all the files on it, and asks you to pay a ransom (typically around $300) to release the files or lose them forever. In some cases the user is presented with a fake warning claiming to be from a local law enforcement agency saying it has discovered images of child pornography on your computer.

Cryptolocker came to mainstream attention in the second half of 2012, and was unique among ransomware at the time for asking for payment in bitcoin rather than cash. The ransomware became so widespread it lead to the UK government issuing a warning about a "mass email spamming event" which was trying to exploit the ransomware and targeting tens of millions of UK email addresses.

Now a security researcher called Kafeine has uncovered the same ransomware being sold on underground forums claiming it can infect and encrypt Android smartphones and tablets.

Porn app

UK Android CryptoLocker Warning Screen
The UK-specific warning screen shown on Android versions of the Cryptolocker ransomware. Kafeine

The new version of CryptoLocker targets Android devices and when victims visit a malicious domain on their smartphone or tablet, it redirects them to a porn website where the criminals use social engineering to trick users into downloading a malicious file.

The file masquerades as a porn app but once opened it locks the phone or tablet and throws up a warning messaging saying the device has been detected by police for spreading pornographic material.

There piece of ransomware is flexible and contains variants for 30 different countries, meaning the warning message you see if you are in the UK will look like it comes from the Metropolitan Police while in the US it could look like it comes from the FBI.

Considering just how many Android smartphones and tablets are currently in use, this could become a serious problem very quickly.

However, a successful infection firstly requires the user to physically download the app and secondly, for the app to be installed would require the user to have changed the default Android settings which only allow apps to be installed which have been downloaded from the official Google Play Store.

Reveton gang

The new malware is being sold by the same group who were responsible for the Reveton ransomware which began spreading across Europe in 2012.

Despite the European Cybercrime Centre (EC3) making several arrests relating to the gang behind the operation of Reveton in February of last year, it appears as if the gang is still operating. The advert which Kafeine is basing his findings on was first posted back in February - and it is unclear if anyone is actively trying to exploit this in the wild.

The criminals behind the ransomware typically ask for payment of $300 to unlock the device and as is usual in these cases, they are asking to be paid through MoneyPak.

MoneyPak is only available in the US and as it is a lot easier to process, it is the main way people there pay the ransom.

In CryptoLocker cases seen on computers, criminals have been offering bitcoin as a payment alternative to those outside of the US, though cybercriminals don't typically like to use cryptocurrency as it is too difficult to handle effectively.