14 DAY TRIAL // A student at the University of Sussex, United Kingdom, performed a detailed analysis of the first malware with file-encryption capabilities for Android and promised to reveal a tool for reverting the ransomware effects.
Simplocker Trojan, uncovered by ESET at the beginning of June, has been labelled as the first ransomware that can target specific files stored on the SD card of an Android device and lock them up through encryption until the victim pays up a ransom.
After infecting the device, the malware checks for specific types of files to encrypt (JPG, PNG, BMP, GIF, PDF, DOC, DOCX, TXT, AVI, MKV, 3GP, MP4) and shows the victim a ransom message asking for 260 Ukrainian hryvnia ($22/16 EUR) for the data to be decrypted.
Simon Bell, a final year undergraduate studying Computer Science, notes that there is a way to reverse the file encryption carried out by the Trojan.
In his analysis, he reverse-engineers the malware piece in order to learn about the components present and how they act.
After turning the APK sample into a JAR file, the student observes the class files available, which include connecting to the anonymous TOR network, encryption of specific types of files (images, videos and documents) using the AES algorithm, gathering information about the phone, and connecting to the command and control server to send the data.
Among the files he found was the AesCrypt class, which contains the encrypt() method and uses the password “jndlasf074hr” that is found in the Constants. This could be the key to reverting the encryption process and the unlocking of the affected data because, according to Bell, the decrypt() method used is very similar to encrypt().
Bell’s analysis shows that the Trojan communicates with the remote server through port 9051 and that reverse-engineering is not too difficult thanks to the lack of obfuscation code.
This is the same conclusion reached by ESET researchers, who said that their “analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to 'the infamous Cryptolocker' on Windows.”
At the end of the post Bell writes, “But one important question remains unanswered: would it be possible to decrypt files that have been encrypted by the app without connecting to the C&C server? In other words: can we reverse the damage done by this app?” and promises to reveal the steps for creating the antidote for the ransomware.
The original Simplocker suffered modifications, and researchers at Kaspersky found that there are more than 30 variants available that can be split into two groups: one with the characteristics presented by ESET and one that displays the picture of the victim in the ransom message.
[Update, June 17, 2014]: Simon Bell has just released the unlocking solution for Simplocker. It relies on using the built-in decrypt method and the password mentioned in the above article.