Android/Simplocker encrypts victims’ content on their mobile device until a ransom is paid
Researchers have discovered what could be the first piece of Android ransomware that encrypts the user’s content on their mobile device before demanding a ransom payment so the victim can regain access to their files.
The new Android Ransonware was discovered by Robert Lipovsky, a researcher from ESET, who posted about the new threat, and outlined the previous examples of Android ransomware.
“The situation has changed however, with this most recent discovery, last weekend, of an Android trojan, detected by ESET as Android/Simplocker,” said the researchers. “This malware, after setting foot on an Android device, scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files.”
According to Lipovsky, the ransomware scans images, documents and video extensions and locks the files up with AES 256-bit encryption. This is first time encrypting ransonware has appeared on Android devices, which is similar to Windows ransomware such as Cryptolocker.
Android/Simplocker however displays a message in Russian which demands a payment of approximately $21 (£12.54). According to Lipovsky, because the payment demand is in Ukrainian hryvnias, the threat is likely targeted against this region.
“Warning, your phone is locked,” says the ransom demand. “The device is locked for viewing and distribution child pornography, zoophilia and other perversions.”
To unlock you need to pay 260 UAH,” the note reads, before providing payment details. “In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!” It promises to unlock your device within 24 hours if payment is made.
And interestingly, it seems that Android/Simplocker.A will also contact its Command & Control server hosted on a TOR domain, and send identifiable information from the device such as IMEI numbers, device models, product and hardware manufacturers, and operating system versions.
Lipovsky says that the ransonware was detected on an app called ‘Sex xionix’, but because this was not found on the official Google Play store, its prevalence should be very low.
It is not clear at this stage what versions of Android are vulnerable.
Last month, BitDefender Labs warned that a new piece of Ransomware known as Koler.A is affecting Android smartphones and tablets. Users browsing porn websites are apparently tricked into installing the application, which poses as a premium video player under the name “BaDoink”.
Once installed, Koler.A uses the device’s IMEI number to find the device’s home location, and sends a message purporting to come from a local police force, which claims the user has accessed “banned pornography” including child porn, and demanding $300 to reactivate the phone.
Earlier this week, Apple’s CEO Tim Cook used his keynote speech at Apple’s Worldwide Developers Conference (WWDC) in San Francisco to lambast Android, saying that many Android users were not using the latest Android OS, which exposes them to all types of security risks because Android “dominates the mobile malware market.”
Are you a security pro? Try our quiz!