Simplocker, the first Android File-Encrypting Ransomware

Security experts at ESET discovered and analyzed the first Android File-Encrypting ransomware dubbed Simplocker with C&C hosted on TOR.

Ransomware is  not a prerogative of desktop computers, cyber criminals are targeting also mobile platforms, recently it has been discovered the first mobile trojan able to encrypt victim’s data on Android by ESET security firm.

Cyber criminals have already adopted an extortion scheme for Android OS, last year security experts at Symantec detected a malicious application, calling itself Android Defender, that pretending to be a mobile AV was blocking the mobile screen.

This week, malware analysts at ESET announced to have detected a new Android trojan, dubbed Android/ Simplocker, that once infected the mobile device scans the SD card for certain file types (e.g. jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4), encrypts them with AES, and demands a ransom in order to decrypt the files.

The sample of Simplocker ransomware analyzed by the specialists at ESET is in the form of an application called ‘Sex xionix’, the bad news is that it was available on the official Google Play.

In the following image is proposed the message displayed by Android/ Simplocker just after its execution, in this phase a separate thread in the background is launched by the ransomware to encrypt the file.

The ransom message is written in Russian and its translation looks like:

“WARNING your phone is locked! The device is locked for viewing and distribution child pornography , zoophilia and other perversions. To unlock you need to pay 260 UAH. 1. Locate the nearest payment kiosk. 2. Select MoneXy 3. Enter {REDACTED}. 4. Make deposit of 260 Hryvnia, and then press pay. Do not forget to take a receipt! After payment your device will be unlocked within 24 hours. In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”

The experts highlight that the payment demanded is in Ukrainian hryvnias, this means that the instance of ransomware is designed to target users in this region. The Russia, including ex states of the old Soviet Union, is a very prolific for cyber criminals activities, the very first Android SMS trojans (including Android/Fakeplayer) back in 2010 also originated from these countries.

To make hard the payment tracking the criminals have chosen the MoneXy service, the ransom request is 260 UAH (16 EUR).

 

 

The Android/ Simplocker.  also contacts the C&C server and send device information (e.g. IMEI, model, OS version), once again the author of the malware demonstrated attention to the details, improving anonymity of control infrastructure hosting it in Tor network.

ESET experts believe that to the C&C is also assigned the task to verify the payment reception to return the decrypted file to victims:

“As you may notice on the nag-screen above, there is no input field for a payment-confirming code of any kind, as we’ve seen in earlier examples of Windows ransomware. Instead, the malware listens to its C&C server for a command – probably issued after payment is received – to decrypt the files.” states the blog post issued by ESET.

Analysts suspect that the version of Android/ Simplock. A analyzed it a proof-of-concept or a work in progress, the malware is capable of encrypting the user’s files, but data may be lost if the encryption key is not retrieved.

As usual, it is suggested to the victims to report to law enforcement in case of infection, avoiding to pay the ransom.

“While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.” states ESET.

To protect yourself from ransomware never open email attachments from unknown sources and backup your data periodically.

Pierluigi Paganini

(Security Affairs –  Simplock, ransomware)