14 DAY TRIAL // Despite the simplicity publicized by various security researchers and the fact that there are solutions to reverse its malicious activity, Simplocker has seen an increase in distribution.
Robert Lipovky, malware researcher at ESET, warns that several variants of the Trojan have been detected, a fact also confirmed at the beginning of last week by Kaspersky.
However, the researcher points out that the new modifications have integrated the command for file decryption, which indicates that the ransom was paid by the victim. Also, different sums of money are demanded, in both Ukrainian hryvnias and Russian rubles.
Only Russians and Ukrainians seem to be targeted by the Trojan right now, and there is no indication of extortion attempts in other currencies than the ones mentioned above; but the trend could change since the distribution in the rest of the world has reached 10%, according to ESET metrics.
The threat is most prevalent in Russia, where 48% of the infections have been recorded, while Ukraine accounts for 42%.
As far as the attack vectors are concerned, the threat is still distributed using social engineering tactics that lure the victim with incentives ranging from adult video content to apps purporting to be popular games.
Apart from this, the ESET team noticed a new strategy from the cybercriminals, which involves a Trojan downloader, identified by the products of the security firm as Android/TrojanDownloader.FakeApp.
Lipovky says that the analyzed sample tempted the victim into downloading the malware masqueraded as a video player via an external link. This way, the downloader has slimmer chances of being detected by security mechanisms that verify the items published on Google Play.
This is possible because there are no signs of malicious behavior; opening a link outside the app is common to many other programs and “the downloader has practically no 'potentially harmful' application permissions – so even a user who scrutinizes app permissions at installation may allow this one,” writes Lipovsky.
Additionally, in the sample checked by the ESET team “the URL contained within the app didn’t point to the malicious Simplocker APK package directly. Instead, the trojan was served after a redirect from the server under the attacker’s control. This technique is something to watch out for.”
This week, Avast released a tool that can scan Android devices for signs of Simplocker infection and remove it.
Moreover, it provides file decryption services if the data has already been taken hostage. The tool is free and can be installed remotely from Google Play on the affected device.