Android/Simplocker could be the first Android ransomware to encrypt files

Share this article:
Android/Simplocker could be the first Android ransomware to encrypt files
Android/Simplocker could be the first ransomware to encrypt files on Android mobile devices.

ESET researchers have shed some light on what could be the first file-encrypting ransomware for Android devices – and it just so happens to have a command-and-control hosted on Tor, as well.

The threat – known as Android/Simplocker – was discovered over the weekend after a file was submitted to Virus Total from Ukraine, Robert Lipovsky, an ESET malware researcher who posted about the threat, told SCMagazine.com in a Wednesday email correspondence.

On top of scanning the SD card for images, documents and video extensions and locking the files up with AES 256-bit encryption, Android/Simplocker additionally sends phone data to a command-and-control server hosted on the anonymous Tor network.

“It's not all that common, but it isn't all that exceptional either,” Lipovsky said, explaining that information sent to the command-and-control server includes IMEI numbers, device models, product and hardware manufacturers, and operating system versions.

Users must manually install Android/Simplocker in order to become infected, so it is most likely that the ransomware is making the rounds in a social engineering campaign, Lipovsky said. He explained in the post that the sample analyzed by ESET came in an application named “Sex xionix.”

When infected, mobile devices running the Android operating system will display a message written in Russian, which demands a ransom of 260 Ukrainian Hryvnia, or a little more than $20, Lipovsky wrote in the post, explaining victims are directed to use the MoneXy service to send payment.

ESET researchers have not observed any infections yet, so those clues are all there is to go on when speculating who is being targeted by Android/Simplocker and where the author may be located, Lipovsky said.

Not downloading shady applications and staying away from untrustworthy app sources will help users avoid the Android/Simplocker threat, according to Lipovsky, who added that users should frequently back up their mobile devices so compromised files can easily be recovered.   

Lipovsky could not immediately specify which versions of Android are at risk.

UPDATE: On Thursday, Lipovsky told SCMagazine.com that Android versions 2.3 and above are affected by this ransomware.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.