Incident Response, Malware, TDR

Simplocker Android ransomware variant identified, tougher to decrypt files

A new and improved variant of Simplocker ransomware for Android devices is currently being distributed, according to Avast.

When Simplocker was first identified in June 2014, it was considered possibly the first ransomware for Android devices that encrypts files. However, the encryption key was hardcoded inside the malware and was not unique for each device, meaning the so-called “master key” could simply be used to unlock any infected device without paying the ransom.

That is not the case anymore.

“This new variant has a more sophisticated way to encrypt the files inside the device,” Nikolaos Chrysaidos, Avast mobile malware analyst, told SCMagazine.com in a Tuesday email correspondence. “It generates a unique key for each device that it infects, making it more difficult to decrypt the files on each device.”

The latest variant of Simplocker infects users when they navigate to less-than-reputable websites and are alerted that they have to download a “Flash Player” to watch videos, a Wednesday post indicates. Once the app is installed and opened, the “Flash Player” requests administrator privileges that, when granted, activates the ransomware.

Upon activation, most victims are met with a notification purporting to be from the FBI, which claims that “suspicious files” were found on the device and that users must pay a $200 fine to decrypt their files. There is no time limit to unlock the files, Chrysaidos said.

“The main ransom screen can be changed according to the sim locale of the infected device, so hackers can change the currency for the ransom as needed,” Chrysaidos said. “The U.S. is the primary target for the current attack, and the FBI warning screen is shown to all countries with the exception of the following three: Arab Emirates, Saudi Arabia, [and] Iran.”

He continued, “This makes us believe that [the threat] is coming from the Middle East, since the ransom screens are custom made for these three countries, while the rest of the world sees the FBI warning screen.”

So far Avast has observed 5,500 attacks that the company was able to prevent, Chrysaidos said.

Avast recommends that impacted users do not pay the ransom. Instead, back up the encrypted files to a computer (this will not harm the computer), boot the phone in safe mode, remove the malicious app from administrator settings, and uninstall the app from the application manager. Victims will then have to wait until a solution to decrypt the files has been found, the post indicates.

Chrysaidos said that Simplocker encrypts files with numerous extensions, including dng, doc, docx, jpg, jpeg, ppt, pdf, pptx, rtf, xls and zip.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.