Incident Response, Malware, TDR

Android/Simplocker could be the first Android ransomware to encrypt files

ESET researchers have shed some light on what could be the first file-encrypting ransomware for Android devices – and it just so happens to have a command-and-control hosted on Tor, as well.

The threat – known as Android/Simplocker – was discovered over the weekend after a file was submitted to Virus Total from Ukraine, Robert Lipovsky, an ESET malware researcher who posted about the threat, told SCMagazine.com in a Wednesday email correspondence.

On top of scanning the SD card for images, documents and video extensions and locking the files up with AES 256-bit encryption, Android/Simplocker additionally sends phone data to a command-and-control server hosted on the anonymous Tor network.

“It's not all that common, but it isn't all that exceptional either,” Lipovsky said, explaining that information sent to the command-and-control server includes IMEI numbers, device models, product and hardware manufacturers, and operating system versions.

Users must manually install Android/Simplocker in order to become infected, so it is most likely that the ransomware is making the rounds in a social engineering campaign, Lipovsky said. He explained in the post that the sample analyzed by ESET came in an application named “Sex xionix.”

When infected, mobile devices running the Android operating system will display a message written in Russian, which demands a ransom of 260 Ukrainian Hryvnia, or a little more than $20, Lipovsky wrote in the post, explaining victims are directed to use the MoneXy service to send payment.

ESET researchers have not observed any infections yet, so those clues are all there is to go on when speculating who is being targeted by Android/Simplocker and where the author may be located, Lipovsky said.

Not downloading shady applications and staying away from untrustworthy app sources will help users avoid the Android/Simplocker threat, according to Lipovsky, who added that users should frequently back up their mobile devices so compromised files can easily be recovered.   

Lipovsky could not immediately specify which versions of Android are at risk.

UPDATE: On Thursday, Lipovsky told SCMagazine.com that Android versions 2.3 and above are affected by this ransomware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.