ESET experts have caught the first example of an Android mobile Trojan, which they named Android/Simplocker. Similar in nature to the Filecoder/Cryptolocker that’s been increasingly plaguing PCs in the past year, this malware, after setting foot on an Android device, scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files.
After launch, the trojan will display the following ransom message and encrypt files in a separate thread in the background:
WARNING your phone is locked!
The device is locked for viewing and distribution child pornography, zoophilia and other perversions.
To unlock you need to pay 260 UAH.
1. Locate the nearest payment kiosk.
2. Select MoneXy
3. Enter {REDACTED}.
4. Make deposit of 260 Hryvnia, and then press pay.
Do not forget to take a receipt!
After payment your device will be unlocked within 24 hours.
In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”
The malware, just like the very first Android SMS trojans (including Android/Fakeplayer) back in 2010, originates from Ukraine and Russia, and it directs the victim to pay 260 Ukrainian Hryvnias (approximately €16) using the MoneXy service, which is not as easily traceable as using a regular credit card.
Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them. It will also contact its Command & Control server and send identifiable information from the device.
The sample we’ve analysed is in the form of an application called ‘Sex xionix’, but as it was currently not yet found on the official Google Play, we estimate that its prevalence is rather low at this time.
Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress. Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of operations, but also because there is no guarantee that the cybercriminals actually decrypt the files at all.
We encourage users to protect themselves against these threats (ESET Mobile Security for Android recognizes and neutralizes this threat) and adhering to best security practices, such as keeping away from untrustworthy apps and app sources and if they are unfortunate to already be infected, to recover the files from a backup. If you have made a backup, then any Filecoder trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance.
About ESET
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.