14 DAY TRIAL // A new variant of the Android ransomware Simplocker has been detected and it comes with encryption capabilities for archives, which is the preferred format of many backup apps for mobile devices.
Security researchers at ESET, who uncovered the first trace of the crypto-malware for mobile in the first place, warn that the fresh strain has been prepared for targeting a larger audience, as the ransom message is now in English and the demanded fee increased to $300 / €222.
Cybercriminals seem to have learned their lessons during the test run on the Russian-speaking victims and included 7z, ZIP and RAR compression formats on the list of files the malware should be encrypting.
These types of archives are the most popular when creating safety copies of the Android device with a backup app. As such, when the device is infected, the victim can no longer restore the information from the backup because it is also encrypted and its contents cannot be accessed; thus, the crooks increase the chances of getting paid.
However, ESET’s Robert Lipovky says that there is no significant modification as far as the encryption function is concerned, as it uses a different key for carrying out file locking. So, he mentions that there are solutions for decrypting the locked data and provides an ESET tool for the job.
The researcher noticed that the revised Simplocker asks for administrator privileges, which increases its resistance against removal, because not many users know that stripping an app of admin advantages can be easily done from Settings>Security>Device Administrators, in order to be able to remove it.
Simplocker is the first file-encrypting ransomware for Android operating system, and samples appeared on the security industry’s radar at the beginning of June. At that time, the malware was more of a proof of concept rather than a full-fledged money making tool.
It created some confusion, because while the ransom message was in Russian, the fee was expressed in Ukrainian hryvnia.
Security researchers at Kaspersky spotted the malware for sale on underground forums in May, for the price of $5,000 / €3,680. After that date, the Simplocker infections took off and spread to non-Russian speaking countries.
Multiple strains have been seen since then, as researchers observed different working methods. One of the variants would show the victim the ransom message with their picture on the screen, taken with the built-in camera; this also seems to be the case with the fresh strain.
The current version does not seem to propagate differently than its predecessors and social engineering is still employed for the trickery.
Crooks lure the potential victim with legitimate looking apps, such as Flash video player, but others can be promoted, too; the downloads are from unverified app stores.