Android / Simplocker ransomware targets English-speaking users

    Last month, we wrote about the emergence of new modifications of the Simplocker ransomware for Android. Attackers changed some features of the behavior of the malicious program, as well as the vectors of its distribution. Last week, we discovered new modifications to this malware (detected as Android / Simplocker.I ), in which several significant improvements were added.



    The first change that catches your eye is a ransomware text message. It is now displayed in English. Through this message, the victim is intimidated and extorted money, arguing that the device was blocked by law enforcement agencies, or rather the FBI, after it revealed illegal content in the form of child pornography. Such ransomware covers are not uncommon in the Windows world. The repurchase amount is now $ 300 (unlike the previous 260 hryvnia, which corresponds to 16 euros or $ 21). The payment method has also changed, now it must be carried out using the MoneyPak service. As in previous versions of Simplocker, in this version, attackers continued to use smartphone camera images when displaying a ransom message.



    From a technical point of view, the file encryption mechanism has remained almost the same, except for the use of a new encryption key. In addition, the updated version of the trojan is able to encrypt files of archives ZIP, 7z and RAR. These file formats have been added to those already in use since the last modification of the malicious program, which specialized in image files, documents and videos.



    The encryption mechanism of archives can have unpleasant consequences for the user. Backup tools for Android (which we strongly recommend using) store backups of files in archives. If the user becomes infected with Android / Simplocker.I, these backups will be encrypted.

    The malicious program also asks permission to be installed as a Device Administrator, that is, it requests high permissions in the system. Conventional applications such as Device Administrator use these advanced permissions for various operations, such as security. An example of such an application is corporate administration tools that can apply a special password policy, as well as remotely erase data on a stolen device.

    Android / Simplocker.I uses the ability to install as Device Administrator to ensure self-protection in the system, in this case, before removing the program from the device, the user must first withdraw the application from the list of device administrators (Settings -> Security -> Device Administrators).

    As in many other cases of the spread of malware, cybercriminals use social engineering techniques to entice the user to install this malware. To do this, he disguises himself as a video player, as shown in the screenshot below.



    Our detection statistics to date have not recorded the prevalence of this threat in English-speaking countries.

    If your device has become a victim of Android / Simplocker, you can use the updated ESET Simplocker Decryptor tool to recover your data. But as usual in such cases, we recommend focusing on preventing infection. Be careful when installing applications on your device, and especially with applications that request device administrator rights.

    Also popular now: