Security vendor ESET claims to have discovered the first ever piece of file-encrypting Android ransomware, which has an associated C&C server hosted on a TOR domain to hide its location.
The malware, detected by the vendor as 'Android/Simplocker', is most likely a work in progress as the implementation of the encryption “doesn’t come close” to the notorious Cryptolocker Windows ramsomware that hit the headlines recently, ESET malware researcher Robert Lipovsky wrote in a blog post.
“Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved,” he added.
“While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.”
Once downloaded, Simplocker scans the Android device’s SD card for various file types – including jpeg, avi and mkv – encrypts them and demands a ransom from the user to decrypt them.
ESET has only discovered the malware thus far displaying a ransom message in Russian and the payment demanded is 260 Ukrainian hryvnias ($21) – so it is likely that the current threat is targeted at victims from this region.
Payment is apparently demanded via the MoneXy service, which is harder to trace than regular payment cards.
In the background, Simplocker also contacts its C&C server, hosted on TOR for anonymity, to upload device information including IMEI number.
The new discovery is yet another indication of the rapid R&D work being carried out and implemented by the criminal underground.
It moves the whole category of ransomware on again from an Android Defender version discovered a year ago which features a lockscreen but not file encryption.
It’s also potentially more serious than the Reveton-like malware which tries to shame victims into paying by flashing up a fake police message claiming they have accessed illegal porn sites. That particular ransomware threat also does not encrypt files.
Michael Sutton, VP of security research at Zscaler, advised Android users to avoid third party app stores.
“The vast majority of Android malware is found on stores outside of the official Google Play store, which does a reasonable job of automating malware detection and preventing malicious apps from ever being listed,” he argued.
“Beyond that, users should ensure that regular and continual backups of device applications and data are available. This way, should ransomware ever be installed, they will always be able to recover the phone content.”