Ransomware isn't really limited to Windows PCs now; even the mobile world is not safe, with these cryptomalware actively attempting to infect many Android devices around the world. And just recently, a new cat-themed variant was seen running in the wild, which not only encrypts your files, but also steal your SMS messages, and block users from access altogether.
The McAfee Labs Mobile Malware Research team discovered the threat, which they called "El Gato," which translates into "cat" in Spanish. The malware reportedly has botnet capabilities, has a web-based control panel service, and is running on a "legitimate cloud service provider."
With its control panel, the ransomware is programmed to frequently check its Command & Control (C&C) server, which allows hackers to send the program commands to the infected devices. These instructions are transmitted using HTTP, and has no encryption whatsoever.
Unlike the usual ransomware, El Gato does not come with any ransom note, or a demand for money in order to decrypt the affected files. Instead, it only displays a picture of a cat hanging by the window. The malware can not only encrypt files, but it also has the ability to steal SMS messages and then forward them to the hacker, and lock the user out from the device using an AES encryption with a hardcoded password.
Moreover, a peculiar discovery was made by the researchers. El Gato's code actually contained instructions to decrypt the files affected, allowing anyone who finds the instructions to break free from the malware.
The research implied that El Gato might actually still be under development, given its current behavior. It further stated:
This ransomware variant looks like a demo version used to commercialize malware kits for cybercriminals because the control server interface is not protected and includes in the code words such as 'MyDificultPassw.'
These kinds of threats are usually distributed by attackers who buy exploit kits on black markets and who want to attack a specific company or group of people. The attackers often use phishing campaigns, Trojanized apps, social media networks, or other social engineering techniques.
McAfee labs stated that they have contacted the owners of the abused servers, and asked them to terminate the malicious service.