Skip to content ↓ | Skip to navigation ↓

Security researchers have completed their analysis of the first file-encrypting ransomware targeting Android devices, identified as as Android/Simplocker malware, which can scan a device’s SD card to identify jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 file types for encryption, then issues a ransom demand to recover the files.

Last year researchers had identified malicious antivirus ransomware that locked the screens of infected devices, and more recently “police malware” targeting Android devices was detailed by the Reveton team, though the malicious code was not capable of encrypting files. Now rogue developers have achieved the next step in the evolution of Android ransomware.

“This Android trojan, detected by ESET as Android/Simplocker, after setting foot on an Android device, scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files,” wrote Robert Lipovsky, noting that the ransom message appears in Russian.

“The ransom message is written in Russian and the payment demanded in Ukrainian hryvnias, so it’s fair to assume that the threat is targeted against this region. This is not surprising, the very first Android SMS trojans (including Android/Fakeplayer) back in 2010 also originated from Russia and Ukraine,” Lipovsky said. “After launch, the trojan will display the following ransom message and encrypt files in a separate thread in the background:”

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography , zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Click MoneXy

3. Enter {REDACTED}.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

“It will also contact its Command & Control server and send identifiable information from the device (like IMEI, et cetera). Interestingly, the C&C server is hosted on a TOR .onion domain for purposes of protection and anonymity,” Lipovsky explained.

Thus far, the malware has not been distributed widely, and has not been detected in offerings in the official Google Play store, leading the researchers to believe this version may be a proof-of-concept prototype, and we could see improved versions in the wild soon.

“While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.”

Read More Here…