A new version of the infamous Simplocker malware has been discovered in English featuring a raft of improvements including expanded file encryption technology, security researchers have warned.
Simplocker was first spotted at the beginning of June and pegged as the first ever piece of Android ransomware to encrypt the files on its victim’s phones until they agreed to pay the stated fee.
However, until now, it has only been observed in Russian – with the ransom demanded in Ukrainian hryvnias or Russian rubles.
The new version discovered this week by ESET appears to reveal “significant improvements”, including a ransom message in English purporting to come from the FBI and warning that the user has been engaged in illegal activity like watching child pornography.
The ransom has also been westernized to be displayed in US dollars ($300) and to be paid by a MoneyPak voucher to maintain anonymity.
Although the actual file-encryption technology is virtually unchanged from the original – which Eset described as “not exactly NSA-grade” – it does contain two extra features to make life more difficult for the victim, malware researcher, Robert Lipovsky, wrote in a blog post.
“In addition to encrypting documents, images and videos on the device’s SD card, the trojan now also encrypts archive files: ZIP, 7z and RAR,” he explained.
“This ‘upgrade’ can have very unpleasant consequences. Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files. In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well.”
A second change means the malware asks to be installed as Device Administrator, making it harder to remove, Lipovsky explained.
“Legitimate Device Administrator applications use these extended permissions for various, mostly security-related reasons. For example, corporate Exchange administrators can enforce password policies, remotely wipe lost or stolen devices, and so on”, he added
“Android/Simplocker.I (and other Android ransomware in the past) only uses the functionality for its own protection, since the user must first revoke the application’s Device Administrator rights before uninstalling it.
And that’s rather difficult to do when the ransomware is locking your screen.”
The good news is that this version of Simplocker hasn’t been widely spotted targeting English speaking users as of yet, according to ESET.
However, Lipovsky warned netizens to be extra careful when downloading content – especially when apps ask for Device Administrator rights.