It's another first for the Android mobile operating system, and not the good kind: The first genuine Android encrypting-ransomware Trojan has been detected.
Simplocker, as the malware has been dubbed by security researchers, sneaks onto Android devices, secretly encrypts most of the files stored on the phone's SD card, locks the phone and then demands that users pay up in order to get their files and control of their phones returned to them.
Simplocker is still in its early stages, so it's not foolproof. But it's growing fast — although Simplocker was first detected less than a month ago, variations of the malware are already using the Tor privacy network to hide their tracks.
Simplocker first surfaced in the middle of May, according to security expert Roman Unuchek of Moscow-based Kaspersky Lab, and was being sold on a virus-writers' forum for $5,000. By May 18, wrote Unuchek on Kaspersky's Secure List blog, the company had detected a new Android Trojan, which called Trojan-Ransom.AndroidOS.Pletor.a, using the code.
Last weekend, Bratislava, Slovakia-based security company ESET detected this Android Trojan as encryption ransomware, malware that holds users' devices for ransom by encrypting all the files on the device, thus rendering them unusable to their original owner. ESET named the Trojan Simplocker.
Non-encrypting Android ransomware that merely locks the homescreen has been around for nearly a year. A few examples have pretended to also be encryption-based ransomware, but Simplocker is the first true crypto-ransomware for Android devices.
By today (June 9), Kaspersky had detected 30 variations on this Trojan, mostly in Eastern European countries, although Canada, Singapore and South Korea are also on the list.
Simplocker appears to spread via porn sites by pretending to be a custom media player that has to be downloaded in order to view videos. It has also been caught pretending to be a game or other kind of app available for download from a website.
Once it's on an Android device, the ransomware part of Simplocker's code takes over. Simplocker is a "police Trojan," a form of ransomware that pretends to originate with law enforcement and usually accuses victims of some soft of illegal activity, such as viewing child pornography, and demands that a "fine" be paid to restore user access.
Simplocker uses AES encryption to encrypt image, document and movie files stored on the phone or tablet's SD card. Because Simplocker currently only targets SD cards, people who don't use removable storage cards on their Android devices, or owners of devices that don't have SD card slots at all (such as the Nexus 5 phone) are not at risk of file-encryption by Simplocker.
Once the encryption is accomplished, victims of Simplocker will see the message: "WARNING your phone is locked! The device is locked for viewing and distribution child pornography, zoophilia and other perversions." The malware will then give instructions for how to send an electronic ransom payment.
Right now the malware's text is all in Russian, and it demands payment in the Ukranian currency hryvnias, suggesting that it currently only targets Eastern European Android users. However, it's more than likely that cybercriminals will adapt Simplocker to target other countries as well.
A version of the Simplocker malware also contacts a command-and-control server (through which criminals control the malware) and uploads some identifying information from infected phones. ESET reports that this server uses the Tor Internet-privacy protocol, which will make it difficult to trace the server's physical location or determine who is operating it.
Simplocker has no built-in mechanism for verifying if payment was received. Apparently, the criminals operating it would send individual unlock commands via the command-and-control server once they received individual electronic payments. There is no confirmation that the criminals will in fact unlock phones after receiving the ransom.
Fortunately, this encrypting Trojan isn't fool-proof. Users can regain control of their Android devices by rebooting into Safe Mode, though they will lose access to all encrypted images and documents. More advanced users can dig out the AES encryption keys stored inside the malware on the locked device and recover their files that way.
Kaspersky says users can also email the infected files to firstname.lastname@example.org, and the company will dig out the AES encryption key and restore the files.
Avoiding Simplocker in the first place is pretty easy, though: Don't download Android apps from anywhere but the Google Play store.