ElGato Ransomware Claws At Android Devices, Steals SMS Messages

Go ahead and cue up Cartman's "No kitty, that's a bad kitty!" soundbite, only this time it's not in reference to stealing those delicious Cheesy Poofs. McAfee's mobile malware research division found a sample of ransomware for Android that it's calling "ElGato," and once infected, it can steal a user's SMS messages, among wreaking other kinds of havoc.

ElGato has botnet capabilities and a web-based control panel service, McAfee says. It's an ornery piece of software that reveals itself as a humorous image of a cat on infected devices. In addition to silently swiping potentially sensitive SMS messages, once infected a remote hacker can encrypt the target's files and lock out the rightful owner of the device using an AES algorithm with a hard-coded password.

Smiling Cat

Whatever mischief the perpetrators are up to gets transmitted in plain sight. McAfee says the ransomware constantly requests commands from the control server through HTTP, with the malicious server responding with instructions from the attack as outlined in the control panel. All of that back and forth is transmitted without any encryption.

There's no ransom note included with the malware and it doesn't make any demands for money. Instead, attackers simply annoy users who've been locked out of their handset with a picture of a cat. That could change at some point, however, as the application code does contain a method to decrypt affected files.

"These kinds of threats are usually distributed by attackers who buy exploit kits on black markets and who want to attack a specific company or group of people. The attackers often use phishing campaigns, Trojanized apps, social media networks, or other social engineering techniques," McAfee says.

McAfee has been informing owners of abused servers of the ransomware and requesting that they take down the service.