Mobile ransomware which locks down Android devices has been detected.
According to research by ESET, the file encrypting malware has been named Simplocker and scans the SD card for certain file types, encrypts them and demands a ransom in order to decrypt the files. ESET explained that after it is downloaded and launched, it displays a message in Russian and encrypts files in a separate thread in the background.
It instructs the victim that the device is “locked for viewing and distribution of child pornography, zoophilia and other perversions” and the user has to pay 260 Ukranian Hryvnia (£13). After payment is received, the device will be unlocked within 24 hours. If payment is not received, the user is told that all data on the device will be lost.
According to the blog by ESET malware researcher and security intelligence team lead Robert Lipovsky, the command and control server is hosted on a TOR .onion domain for purposes of protection and anonymity. “Instead, the malware listens to its C&C server for a command – probably issued after payment is received – to decrypt the files,” he said. “The sample we’ve analyzed is in the form of an application called ‘Sex xionix’. It was not found on the official Google Play and we estimate that its prevalence is very low at this time.”
Analysis by ESET suspected that the Russian-language ransomware is currently in a proof-of-concept stage or is a work in progress, but warned that the malware is fully capable of encrypting the user’s files.
Commenting, Michael Sutton vice president of security research at Zscaler, said that the success of ransomware on the PC, such as CryptoLocker, meant it was inevitable that ransomware would move to the mobile space. “Just last month we saw the emergence of Koler on Android, which attempted to lock the user’s device and demand a ransom,” he said. “This Trojan goes a step further by actually encrypting certain files. Fortunately, mobile devices are more restrictive in permitting application access to the file system and as a result, this Trojan is limited to encrypting only those files on an installed SD card.”
He suspected that ransomware will continue to evolve in the mobile space, given the financial success that it has achieved in the PC realm. “Users should ensure that regular and continual backups of device applications and data are available. This way, should ransomware ever be installed, they will always be able to recover the phone content.”