Researchers spot first ever Android ransom attack that ENCRYPTS data files

Simplocker attack apes Cryptolocker, uses Tor to hide

Researchers working for security firm ESET have discovered the first ever malware capable of encrypting data files on an Android smartphone as part of a full-blown 'Cryptolocker-style' ransom attack.

Called 'Simplocker', the Russian-language Trojan scans the device's SD card or internal storage, encrypting any data files it finds there with a range of extensions, including obvious ones such as .jpg, .doc, .avi, and mp4. The encryption used is strong 256-bit AES.

The splash screen then states [translated from Russian]: "WARNING your phone is locked! The device is locked for viewing and distribution child pornography , zoophilia and other perversions," before demanding 260 Ukrainian Hryvnia (about £13 or $9), payable via MoneXy in return for return of the data.

An unusual feature is that the malware's command and control (C&C) operates using the Tor anonymity service. It also doesn't appear to supply a conventional unlock key, working out which victims have paid through this encrypted channel after relating money transfers to the smartphone's identifying IMEI number.

ESET reckons the malware's prevalence is currently "very low". So far it is targeting Android users in Russian-speaking countries who contract it after downloading an app called 'Sex xionix' from a third-party app store.

If the threat from this app is very low, the intent is not. What starts on Russian malware sites has a habit of eventually spreading to more complex attacks in other markets. There can be no doubt that encryption malware in its most severe is coming to the wider population of Android devices at some point.

ESET is at pains to distinguish Simplocker from other types of mobile malware that use the ransom tactic in annoying but less serious ways. A recent example was the Reveton-linked lockscreen attack that demanded a ransom after pestering the user with pop ups that make the smartphone hard to operate.

Probably the first such attack of this kind was 'Android Defender' last June, which demanded payment in return for cleaning the device of non-existent malware.

Although alarming, Android ransom attacks have not up to data actually encrypted files in a way that would make the data impossible to retrieve without paying up. Although encryption malware is common on PCs - witness the notorious Cryptolocker - Simplocker is the first example ever to use this approach on a mobile device.

"Our analysis of the Android/Simplock.a sample revealed that we are most likely dealing with a proof-of-concept or a work in progress. For example, the implementation of the encryption doesn't come close to the infamous Cryptolocker" on Windows," said ESET's researchers.

"Nevertheless, the malware is fully capable of encrypting the user's files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up, not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them."

The good news is that Android smartphone and tablet users have more defence against such attacks as long as they back up their files to Google's cloud. That would allow them simply to reset their phone and reinstate their files. It doesn't appear that Simplocker goes after the cloud storage although that backup could become a target in future.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecurity

More about AES EnvironmentalGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place