In a new blog post from Robert Lipovsky, security researcher at ESET, the first ever Android File-Encrypting, TOR-enabled Ransomware is analysed.
Key takeouts from the post include:
- Last weekend saw the (somewhat anticipated) discovery of an interesting mobile trojan – the first spotting of a file-encrypting ransomware for Android by our detection engineers.
- Almost exactly one year ago, a hybrid comprising characteristics of a rogue AV and ransomware (the lockscreen type, not a file-encryptor) was discovered, calling itself Android Defender, as reported by Symantec. It had all the typical traits of a fake AV and all the typical traits of a lockscreen ransomware – in that it was not actually that trivial to get rid of when a user was not protected by a mobile antivirus, they had to disable it by booting their device into Safe mode.
- This Android trojan, detected by ESET as Android/Simplocker, after setting foot on an Android device, scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files.
- The ransom message is written in Russian and the payment demanded in Ukrainian hryvnias, so it’s fair to assume that the threat is targeted against this region. This is not surprising, the very first Android SMS trojans (including Android/Fakeplayer) back in 2010 also originated from Russia and Ukraine.
- Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to “the infamous Cryptolocker” on Windows.
- Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.