Upgrade for Android Ransomware

Monday, February 16, 2015 @ 10:02 AM gHale

A variant of Simplocker, a file-encrypting ransomware for Androids, is now available and it relies on unique encryption keys for infected devices, researchers said.

This latest version is light years ahead of previous version, said researchers from Avast, who found that devising a solution to revert the encryption effect is no longer an easy task.

Androids Face Code Execution Woes
Android Wi-Fi Direct DoS Hole
Android Malware Packaged with HTML5 Apps
Mobile RAT Targets iOS, Android

Over 5,000 unique users suffered from the infection shortly after researchers discovered the new strain.

Previous versions of the malware relied on a single key to lock files on the affected devices.

“The new variant however, locks each device with a ‘different key’ which makes it impossible to provide a solution that can unlock each infected device, because that would require us to ‘make copies’ of all the different ‘keys,'” Nikolaos Chrysaidos from Avast said in a blog post.

Spreading Simplocker occurs through the common method of disguising it as a legitimate program for the mobile platform.

According to the researchers, the malicious sample poses as an installation for Flash Player. It looks like the cybercriminals deliver advertisements that inform the victim that Flash needs an update, pointing them to the malicious location.

In order to install the fake update the Android device needs to end up configured to allow installation of software from untrusted sources, a state common to many terminals since their owners often turn to because they install programs from third-party marketplaces.

Avast researchers said the malware requests administrative privileges, ensuring it is more difficult to remove from the device because not all users know where on the phone the apps with administrator rights on the device can end up disabled.

The ransom message claims to be a notification from the FBI about suspicious files that infringed copyright found on the device. As a result, the data ends up encrypted and the user can unlock it if he or she pays a $200 fee.

The security company determined the current version of Simplocker connects to the command and control server every hour using the XMPP communications protocol (username “timoftei” is used, indicating an attacker from Eastern Europe). At first contact with the server the malware sends data such as IMEI, version of the operating system, carrier name, phone number and country.

Leave a Reply

You must be logged in to post a comment.