Researchers working for security firm ESET have discovered the first ever malware capable of encrypting data files on an Android smartphone as part of a full-blown 'Cryptolocker-style' ransom attack.
Called ‘Simplocker’, the Russian-language Trojan scans the device's SD card or internal storage, encrypting any data files it finds there with a range of extensions, including obvious ones such as .jpg, .doc, .avi, and mp4. The encryption used is strong 256-bit AES.
The splash screen then states [translated from Russian]: “WARNING your phone is locked! The device is locked for viewing and distribution child pornography , zoophilia and other perversions,” before demanding 260 Ukrainian Hryvnia (about £13 or $9), payable via MoneXy in return for return of the data.
An unusual feature is that the malware’s command and control (C&C) operates using the Tor anonymity service. It also doesn’t appear to supply a conventional unlock key, working out which victims have paid through this encrypted channel after relating money transfers to the smartphone’s identifying IMEI number.
ESET reckons the malware’s prevalence is currently “very low”. So far it is targeting Android users in Russian-speaking countries who contract it after downloading an app called ‘Sex xionix’ from a third-party app store.
If the threat from this app is very low, the intent is not. What starts on Russian malware sites has a habit of eventually spreading to more complex attacks in other markets. There can be no doubt that encryption malware in its most severe is coming to the wider population of Android devices at some point.
ESET is at pains to distinguish Simplocker from other types of mobile malware that use the ransom tactic in annoying but less serious ways. A recent example was the Reveton-linked lockscreen attack that demanded a ransom after pestering the user with pop ups that make the smartphone hard to operate.
Probably the first such attack of this kind was ‘Android Defender’ last June, which demanded payment in return for cleaning the device of non-existent malware.
Although alarming, Android ransom attacks have not up to data actually encrypted files in a way that would make the data impossible to retrieve without paying up. Although encryption malware is common on PCs - witness the notorious Cryptolocker - Simplocker is the first example ever to use this approach on a mobile device.
“Our analysis of the Android/Simplock.a sample revealed that we are most likely dealing with a proof-of-concept or a work in progress. For example, the implementation of the encryption doesn’t come close to the infamous Cryptolocker” on Windows,” said ESET’s researchers.
“Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up, not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.”
The good news is that Android smartphone and tablet users have more defence against such attacks as long as they back up their files to Google’s cloud. That would allow them simply to reset their phone and reinstate their files. It doesn’t appear that Simplocker goes after the cloud storage although that backup could become a target in future.