Android/Pletor.A!tr

description-logoAnalysis

Android/Pletor.A!tr is a piece of ransomware targetting Android mobile phones.
The application was named "Sex xonix" in the sample analyzed. When launched, it hinders usage of the phone. The user sees a lock screen in Russian languge stating the phone was locked "for viewing and distribution [of] child pornography, bestiality and other perversions." The user is also asked to pay an amount of either

  • 230 Ukranian Hryvnia (~15 Euros) via a service called MoneXy
  • OR
  • 1000 rubles via QIWI VISA WALLET
  • to regain control of the phone and it's data.
The malware encrypts files with specific extensions on the phone with the AES algorithm.

Technical Details


The main application is called "Sex xonix" or "Shadow Fight 2" and comes in the package "org.simplelocker"

Fig1 : Application Icon
When the application is launched, the phone is 'locked' and the user sees an error message as seen in the figure below

Fig2 : Lock Screen Message

Fig3 : Lock Screen Message
This roughly translates to
WARNING your phone is locked!
  The device is locked for viewing and distribution
  child pornography, bestiality and other perversions.

To Fight unlock you need to pay 260 UAH.
  1. Locate the nearest terminal refill.
  2. It get MoneXy.
  3. Enter 380982049193.
  4. Pipette 260 hryvnia, and then pay.
 
  Do not forget to take a receipt!
  After receipt of payment your device will be unlocked within 24 hours.
  In case of no PAYMENT YOU WILL LOSE ALL DATA ON ALWAYS have on your ustroytvo!

The malware prevents any usage of the phone beyond this point and any key event on the phone results in the above lock screen being displayed
Next, it sends a heartbeat message to the server http://xe[REMOVED]xs.onion/ using TOR and a local SOCKS proxy at port 9050
These messages are sent every 3 seconds and contain a JSON Object with the following values
  • "type": "locker check"
  • "device id": [first 10 digits of the device's IMEI number]
  • "client number": "19"

Finally, the malware looks for files on the phone with the extensions
"jpeg", "jpg", "png", "bmp", "gif", "pdf", "doc", "docx", "txt", "avi", "mkv", "3gp", "mp4"
and AES encrypts them with a hardcoded key present in the package
The encrypted files are saved with extension .enc and the original files are deleted
The malware can be 'disabled' and the files decrypted when the server mentioned further above responds with a JSON Object
"command": "stop"

Permissions required by the application:
  • INTERNET
  • ACCESS_NETWORK_STATE
  • READ_PHONE_STATE
  • RECEIVE_BOOT_COMPLETED
  • WAKE_LOCK
  • WRITE_EXTERNAL_STORAGE
  • READ_EXTERNAL_STORAGE

Aimed at Ukranian & Russian users
Certificate information:
  • Owner: CN=Android Debug, O=Android, C=US
  • Issuer: CN=Android Debug, O=Android, C=US
  • Serial number: 40e8512f
  • Valid from: Mon May 12 12:45:55 CEST 2014 until: Wed May 04 12:45:55 CEST 2044

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2021-03-31 85.00112
2020-06-17 78.23200
2020-03-29 76.32400
2019-08-07 70.54800
2019-07-12 69.91900
2019-06-19 69.37400
2019-06-18 69.35100
2019-06-05 69.04100
2019-05-29 68.87300
2019-05-22 68.70700