Security experts have discovered several new variants of file-encrypting Android ransomware Simplocker, including one that tries to blackmail the user by taking a photo of them with their smartphone camera.
The malware family was first discovered earlier this month by researchers at ESET, who claimed it was the first of its kind on the Android platform to encrypt the files on a victim’s phone in an effort to scare them into paying the ransom.
It also had its command-and-control server hosted on a TOR domain to hide its location, they revealed.
However, new variants discovered in the wild prove the cybercriminal underground is already experimenting with different versions.
Some don’t use TOR at all but a more conventional C&C domain, while others use a different method of receiving the command to decrypt files once a ransom has been paid, according to ESET malware researcher, Robert Lipovsky.
He added in a blog post that some display a photo of the victim taken covertly by the device camera “to increase the scareware factor.”
The newly discovered variants also feature different “nag screens” and different ransoms – including some in Russian rubles as opposed to the original, which demanded Ukrainian hryvnias.
Some apparently don’t even contain a file encryption element at all but use the more common lockscreen tactic.
ESET said it also discovered variants with a more unusual threat infection vector than posing as pornographic content or popular games – a Trojan downloader component.
“Using trojan-downloaders to ‘dynamically’ download additional malware into an infected system is common practice in the Windows malware world – and while this is not the first case we’ve seen – it is still noteworthy on Android,” wrote Lipovsky.
“One trojan-downloader (detected by ESET as Android/TrojanDownloader.FakeApp) we’ve analyzed was attempting to trick the user into downloading a fake video player – which, as you might have guessed, was the Android/Simplocker Trojan.”
He argued that this technique has a better chance of smuggling the malware under the radar of Google Play app scanners or security conscious users. This is because on the one hand it only opens a URL outside the app – not in itself malicious behavior. The downloader also has virtually no “potentially harmful” app permissions, so even an eagle-eyed user may be tempted to allow it.