Android/Pletor.B!tr

description-logoAnalysis

Android/Pletor.B!tr is a successor of Android/Pletor.A!tr, a piece of ransomware targetting Android mobile phones.
When launched, it hinders usage of the phone. The user sees a lock screen in Russian languge stating the phone was locked "for viewing child porn". The user is also asked to pay an amount of 100 rubles via a service called QIWI VISA WALLET to regain control of the phone and it's data. The malware encrypts files with specific extensions on the phone with the AES algorithm.
It differs from its predecessor in that it is disabled/deactivated upon receipt of an SMS message as opposed to an HTTP response in the case of its predecessor. Other differences are explained in detail further below.

Technical Details


The main application is called either "FLVplayer", "Release" or "DayWeekBar" and comes in the package "org.simplelocker"

Fig1 : FLVPlayer Icon

Fig2 : Release Icon

Fig3 : DayWeekBar Icon It is different from Android/Pletor.A!tr in the following ways :
  • The application requests an extra permission "RECEIVE_SMS"
  • It listens for incoming SMS messages. If an SMS with the body "stopec" is received, the malware is disabled and the files are decrypted.
  • The ransom amount in this case is 100 rubles via a service called QIWI VISA WALLET (ref Fig4)
  • It doesn't use TOR. Instead the attacker's site where regular heartbeat messages are sent is hxxp://flv[REMOVED].php/


Fig4 : Ransomware Lock Screen
Google Translation:
For viewing child porn your phone is locked!
 To unlock your phone pay 100 rubles. "
     "
 1. Locate the nearest terminal payments system QIWI
 2. Approach to the terminal and choose replenishment QIWI VISA WALLET
 3. Enter the phone number 79295382310 and press next
 4. Window appears comment - then enter your room phone only without 7ki
 5. Put money into terminal and press pay
 6. Within 180 minutes after receipt of the payment we unlock your phone.
 7. You can pay via mobile shops and Messenger Euronetwork
 CAUTION: Trying to unlock the phone yourself will:
 To complete full lock your phone to the loss of all information.
 No further possibility unlock.

Permissions required by the application:
  • INTERNET
  • ACCESS_NETWORK_STATE
  • READ_PHONE_STATE
  • RECEIVE_BOOT_COMPLETED
  • WAKE_LOCK
  • RECEIVE_SMS
  • WRITE_EXTERNAL_STORAGE
  • READ_EXTERNAL_STORAGE

Aimed at Russian users
Certificate information:
  • Owner: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
  • Issuer: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
  • Serial number: 936eacbe07f201df
  • Valid from: Fri Feb 29 02:33:46 CET 2008 until: Tue Jul 17 03:33:46 CEST 2035

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR