Simplocker Is Android's First Crypto-Ransomware

News
By
published

Simplocker is the first crypto-ransomware for Android, and its operators use the Tor Internet protocol to stay hidden.

It's another first for the Android mobile operating system, and not the good kind: The first genuine Android encrypting-ransomware Trojan has been detected.

Simplocker, as the malware has been dubbed by security researchers, sneaks onto Android devices, secretly encrypts most of the files stored on the phone's SD card, locks the phone and then demands that users pay up in order to get their files and control of their phones returned to them.

Simplocker is still in its early stages, so it's not foolproof. But it's growing fast — although Simplocker was first detected less than a month ago, variations of the malware are already using the Tor privacy network to hide their tracks.

MORE: Best Android Antivirus Software 2014

Simplocker first surfaced in the middle of May, according to security expert Roman Unuchek of Moscow-based Kaspersky Lab, and was being sold on a virus-writers' forum for $5,000. By May 18, wrote Unuchek on Kaspersky's Secure List blog, the company had detected a new Android Trojan, which called Trojan-Ransom.AndroidOS.Pletor.a, using the code.

Last weekend, Bratislava, Slovakia-based security company ESET detected this Android Trojan as encryption ransomware, malware that holds users' devices for ransom by encrypting all the files on the device, thus rendering them unusable to their original owner. ESET named the Trojan Simplocker. 

Non-encrypting Android ransomware that merely locks the homescreen has been around for nearly a year. A few examples have pretended to also be encryption-based ransomware, but Simplocker is the first true crypto-ransomware for Android devices.

By today (June 9), Kaspersky had detected 30 variations on this Trojan, mostly in Eastern European countries, although Canada, Singapore and South Korea are also on the list.

Simplocker appears to spread via porn sites by pretending to be a custom media player that has to be downloaded in order to view videos. It has also been caught pretending to be a game or other kind of app available for download from a website.

Once it's on an Android device, the ransomware part of Simplocker's code takes over. Simplocker is a "police Trojan," a form of ransomware that pretends to originate with law enforcement and usually accuses victims of some soft of illegal activity, such as viewing child pornography, and demands that a "fine" be paid to restore user access. 

Simplocker uses AES encryption to encrypt image, document and movie files stored on the phone or tablet's SD card. Because Simplocker currently only targets SD cards, people who don't use removable storage cards on their Android devices, or owners of devices that don't have SD card slots at all (such as the Nexus 5 phone) are not at risk of file-encryption by Simplocker.

Once the encryption is accomplished, victims of Simplocker will see the message: "WARNING your phone is locked! The device is locked for viewing and distribution child pornography, zoophilia and other perversions." The malware will then give instructions for how to send an electronic ransom payment.

Right now the malware's text is all in Russian, and it demands payment in the Ukranian currency hryvnias, suggesting that it currently only targets Eastern European Android users. However, it's more than likely that cybercriminals will adapt Simplocker to target other countries as well.

A version of the Simplocker malware also contacts a command-and-control server (through which criminals control the malware) and uploads some identifying information from infected phones. ESET reports that this server uses the Tor Internet-privacy protocol, which will make it difficult to trace the server's physical location or determine who is operating it.

Simplocker has no built-in mechanism for verifying if payment was received. Apparently, the criminals operating it would send individual unlock commands via the command-and-control server once they received individual electronic payments. There is no confirmation that the criminals will in fact unlock phones after receiving the ransom.

Fortunately, this encrypting Trojan isn't fool-proof. Users can regain control of their Android devices by rebooting into Safe Mode, though they will lose access to all encrypted images and documents. More advanced users can dig out the AES encryption keys stored inside the malware on the locked device and recover their files that way. 

Kaspersky says users can also email the infected files to newvirus@kaspersky.com, and the company will dig out the AES encryption key and restore the files.

Avoiding Simplocker in the first place is pretty easy, though: Don't download Android apps from anywhere but the Google Play store.

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, onFacebook and on Google+.

See more Phones News
TOPICS
Jill Scharr

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

More about android phones
Google Pixel 9a render

Google Pixel 9a leak seemingly confirms design and colors — here’s the new look
android 16 logo on a samsung galaxy smartphone

Android 16 beta sleuths just found evidence of a very handy upgrade for millions

iPhone SE 4 renders with Apple event logo.

iPhone SE 4 could be based on a much newer iPhone than expected — and have a different name
See more latest
6 Comments Comment from the forums
  • wemakeourfuture
    If this was Apple there would be 100 comments by now.
    But since its Android its crickets on here.

    There's no question when it comes to security, updates, customer support and service Android devices are struggling.
    Reply
  • DarkSable
    If this was Apple there would be 100 comments by now.
    But since its Android its crickets on here.

    There's no question when it comes to security, updates, customer support and service Android devices are struggling.

    How did you not notice that this is the FIRST ransomware that's been detected on Android? iOS has had several of them now.

    On top of that, this one requires a user error so large as to download a "media player" to watch porn on. If that doesn't scream virus, I don't know what does.

    Android gets regular updates, and has decent security; it's on par with iOS there. When it comes to customer support and service, that's supplied by the companies that sell the phones - and it varies wildly, compared to the single company that sells iphones.

    What it comes down to is if you're enough of a techie that your phone doesn't have to protect itself from the user, get an Android. If you don't know what you're doing and want a very simple phone that just does things, buy an Apple.
    Reply
  • ericburnby
    How did you not notice that this is the FIRST ransomware that's been detected on Android? iOS has had several of them now.

    On top of that, this one requires a user error so large as to download a "media player" to watch porn on. If that doesn't scream virus, I don't know what does.

    Android gets regular updates, and has decent security; it's on par with iOS there. When it comes to customer support and service, that's supplied by the companies that sell the phones - and it varies wildly, compared to the single company that sells iphones.

    What it comes down to is if you're enough of a techie that your phone doesn't have to protect itself from the user, get an Android. If you don't know what you're doing and want a very simple phone that just does things, buy an Apple.

    Wrong. It clearly states in the article that there have been several other attempts at this on Android. This is the first one that can actually encrypt data.

    And the iOS ones you're talking about weren't exploits of iOS itself, they were people stupid enough to use the same Apple ID/password on other sites, so that when those sites got hacked they had you ID so they could lock your phone. There's no evidence at all that iOS itself was hacked for those attacks.

    Android does not get regular updates. Google Play Services does, but it's not capable of patching all exploits in Android since it's limited in what it has access to. Any low-level security issues still need the actual OS to be patched, which can take time.

    BTW, iOS is FIPS 140-2 certified. Android is not. Tell me again why Android is "on par" with iOS when it doesn't carry the same security certification that iOS does? There's a reason why iOS completely dominates Android in Enterprise/Corporate usage despite having a supposedly "small market share".
    Reply
  • John Wittenberg
    I've used both IOS (first with the 3GS) and have since gone to Android. I prefer Android because I simply have more options to do what I want to do with it.

    If I didn't, I would still be rocking IOS. I suspect most (not all!) others out there are of a similar mindset on both sides of the isle.

    TLDR, who cares? They both work.
    Reply
  • ferooxidan
    How did you not notice that this is the FIRST ransomware that's been detected on Android? iOS has had several of them now.

    On top of that, this one requires a user error so large as to download a "media player" to watch porn on. If that doesn't scream virus, I don't know what does.

    Android gets regular updates, and has decent security; it's on par with iOS there. When it comes to customer support and service, that's supplied by the companies that sell the phones - and it varies wildly, compared to the single company that sells iphones.

    What it comes down to is if you're enough of a techie that your phone doesn't have to protect itself from the user, get an Android. If you don't know what you're doing and want a very simple phone that just does things, buy an Apple.

    Wrong. It clearly states in the article that there have been several other attempts at this on Android. This is the first one that can actually encrypt data.

    And the iOS ones you're talking about weren't exploits of iOS itself, they were people stupid enough to use the same Apple ID/password on other sites, so that when those sites got hacked they had you ID so they could lock your phone. There's no evidence at all that iOS itself was hacked for those attacks.

    Android does not get regular updates. Google Play Services does, but it's not capable of patching all exploits in Android since it's limited in what it has access to. Any low-level security issues still need the actual OS to be patched, which can take time.

    BTW, iOS is FIPS 140-2 certified. Android is not. Tell me again why Android is "on par" with iOS when it doesn't carry the same security certification that iOS does? There's a reason why iOS completely dominates Android in Enterprise/Corporate usage despite having a supposedly "small market share".

    From the fact, and Tom's article stating that so many iPhone users already became victim of ransomware and Android just got it "first"? even this "first" can be blocked just by not downloading anything except from Google playstore while iPhone got locked because the cracker crack Apple cloud service and locked user phone. Android: got locked by downloading suspicious software out there, user fault; iPhone: got locked because hacker hack into Apple server while the user doing nothing, FIPS 140-2 certified.
    Reply
  • jrob801
    How did you not notice that this is the FIRST ransomware that's been detected on Android? iOS has had several of them now.

    On top of that, this one requires a user error so large as to download a "media player" to watch porn on. If that doesn't scream virus, I don't know what does.

    Android gets regular updates, and has decent security; it's on par with iOS there. When it comes to customer support and service, that's supplied by the companies that sell the phones - and it varies wildly, compared to the single company that sells iphones.

    What it comes down to is if you're enough of a techie that your phone doesn't have to protect itself from the user, get an Android. If you don't know what you're doing and want a very simple phone that just does things, buy an Apple.

    Wrong. It clearly states in the article that there have been several other attempts at this on Android. This is the first one that can actually encrypt data.

    And the iOS ones you're talking about weren't exploits of iOS itself, they were people stupid enough to use the same Apple ID/password on other sites, so that when those sites got hacked they had you ID so they could lock your phone. There's no evidence at all that iOS itself was hacked for those attacks.

    Android does not get regular updates. Google Play Services does, but it's not capable of patching all exploits in Android since it's limited in what it has access to. Any low-level security issues still need the actual OS to be patched, which can take time.

    BTW, iOS is FIPS 140-2 certified. Android is not. Tell me again why Android is "on par" with iOS when it doesn't carry the same security certification that iOS does? There's a reason why iOS completely dominates Android in Enterprise/Corporate usage despite having a supposedly "small market share".


    IOS has recently been exploited both through iCloud AND through the Find My iPhone app. Apple has stated the two are unrelated (IE at least one of them is not a simple password hack).

    The Android ransomware hack requires a user to be looking at either porn or warez (both of which are areas where anyone with half an ounce of sense is totally on alert) AND requires you to install a 3rd party application.

    You tell me which is scarier, knowing your phone can be hacked through factory installed software, or through a set of steps that requires you to be totally idiotic at at least 3 different points?
    Reply