Level 85
Staff member
Simplocker is not as sophisticated as Cryptolocker, but it could still imperil all your SD card files
Security vendor ESET claims to have discovered the first ever piece of file-encrypting Android ransomware, which has an associated C&C server hosted on a TOR domain to hide its location.

The malware, detected by the vendor as 'Android/Simplocker', is most likely a work in progress as the implementation of the encryption “doesn’t come close” to the notorious Cryptolocker Windows ramsomware that hit the headlines recently, ESET malware researcher Robert Lipovsky wrote in a blog post.

“Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved,” he added.

“While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.”

Once downloaded, Simplocker scans the Android device’s SD card for various file types – including jpeg, avi and mkv – encrypts them and demands a ransom from the user to decrypt them.

ESET has only discovered the malware thus far displaying a ransom message in Russian and the payment demanded is 260 Ukrainian hryvnias ($21) – so it is likely that the current threat is targeted at victims from this region.

Payment is apparently demanded via the MoneXy service, which is harder to trace than regular payment cards.

In the background, Simplocker also contacts its C&C server, hosted on TOR for anonymity, to upload device information including IMEI number.

The new discovery is yet another indication of the rapid R&D work being carried out and implemented by the criminal underground.

Read more: http://www.infosecurity-magazine.com/view/38716/experts-discover-fileencrypting-android-ransomware/
  • Like
Reactions: Overkill and Oxygen