Ransomware for Android devices that emerged for sale in a malware authors' forum for $5,000 in mid-May has already caused more than 2,000 infections in 13 countries and spawned 30 modifications, according to Kaspersky Labs expert Roman Unuchek.
Modifications of the Trojan-Ransom.AndroidOS.Pletor.a, which a Kaspersky spokesperson confirmed is the same as the Android/Simplocker recently identified by ESET and billed as the first to use encryption, are categorized in two groups. One group uses the Tor network to communicate while the other relies on HTTP and SMS channels and displays the victim's image in the ransom demand via the Android's front camera.
The Trojan has spread primarily from downloads on fake porn sites and to a lesser extent by simulating games and other programs.
Unuchek's post said victims shouldn't pay up since all versions observed contain a decryption key.