After analyzing the code, University of Sussex undergraduate Simon Bell says he has developed a Java-based application that can undo malicious file encryption damage inflicted by the Simplocker ransomware that targets Android devices.
“This dissection shows how the app encrypts user’s files and that information about the phone is sent to a C&C (command and control) server on the TOR network,” Bell writes.
Simplocker malware scans an infected device’s SD card to identify jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 file types for encryption, then issues a ransom demand to recover the files, is the first known ransomware to employ encryption as a tactic to compel targets in an extortion scheme.
“The ransom message is written in Russian and the payment demanded in Ukrainian hryvnias, so it’s fair to assume that the threat is targeted against this region. This is not surprising, the very first Android SMS trojans (including Android/Fakeplayer) back in 2010 also originated from Russia and Ukraine,” ESET’s Robert Lipovsky said of the malware.
Last year researchers had identified malicious antivirus ransomware that locked the screens of infected devices, and more recently “police malware” targeting Android devices was detailed by the Reveton team, though the malicious code was not capable of encrypting files. Now rogue developers have achieved that next step in the evolution of Android ransomware.
“While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them,” Lipovsky said.
Bell says the application he is developing will be able to harvest the decryption keys for the ransomware, but is still facing some challenges in the process, and may have figured out how to overcome them.
“One important question remains unanswered: would it be possible to decrypt files that have been encrypted by the app without connecting to the C&C server? In other words: can we reverse the damage done by this app?” Bell wrote. “In the next blog post we’ll look at how you can create an antidote for this ransomware.”
Thus far, the malware has not been distributed widely, and has not been detected in offerings in the official Google Play store, leading researchers to believe this version may be a proof-of-concept prototype, and we could see improved versions in the wild soon.
Bell’s antidote may arrive just in time.
Read More Here…