Armor.Ransomware.Simplocker

Aliases

  • ESET: a variant of Android/Simplocker.B trojan (More)

Category: Trojan

  • This is a threat.
  • Can cost money.
  • May be a privacy threat.
  • Potentially unwanted behavior.

Top Relevant External Sources

Summary

Simplocker is a ransomware threat discovered by ESET that will encrypt files on the SD card of the infected device. This threat must be installed by someone with physical access to the device. Simplocker is distributed on malicious websites designed to look like Google Play, using the guise of a free adult themed application.

Once installed on the device the Simplocker ransomware will scan the device’s SD card and encrypt the following file formats using AES.

  • .3gp
  • .avi
  • .bmp
  • .doc
  • .docx
  • .gif
  • .jpeg
  • .jpg
  • .mkv
  • .mp4
  • .pdf
  • .png
  • .txt

COMMENTS

A pop up alert is displayed to the user in Russian. The alert states that the device has been locked for “viewing and distributing child pornography, zoophillia, or other perversions.” To unlock the device and regain access to the encrypted information he victim must pay a fine of about $22, the fine must be paid in the Ukrainian currency (260 UAH). Once the fine has been paid the information will be decrypted in 24 hours.

COMMENTS

According to the alert, failure to pay the fine will result in complete loss of all encrypted data.

To pay the ransom users must send money via the MoneXy payment service to a designated account. The victim must rely on the cybercriminal to then identify their payment and unlock the device.

On the ransomware alert there is no field in which to submit a successful payment. Instead the ransomware harvest the following device information and communicates with a remote command and control server to identify payment and, in theory, unlock the device.

  • IMEI number
  • Device model
  • Manufacturer
  • Operating system version

Armor for Android considers this threat extremely dangerous and recommends that victims of this threat shut of their Android device immediately to minimize the number of files encrypted on the SD card. Armor for Android does NOT recommend victims pay the ransom.

See Removal Instructions for further instruction.

Additional Details

Package Name:
Locker.zip
Locker.apk

First Detected:
June, 2014

File Type:
APK (Android application package file)

SHA256:
COMMENTS

Permissions:
N/A

Repair Instructions

Users should be careful when downloading applications from third party Android markets.

Always review application permissions to make sure no unusual permissions are being requested.

Android users should only download applications from a trusted source.

We advise Android users to download and use antivirus software to keep their android device and personal information safe.

Removing Simplocker is particularly difficult and there is no guarantee that the encrypted files can be saved.

Once you discover that your device has been infected with Simplocker turn it off. Some devices have the ability to restart in ‘Safe Mode’ which prevents third party apps from running. Reboot the device in safe mode (Google how to do this for your handset as it differs between manufacturers and devices) and uninstall the Simplocker application. Follow these steps to uninstall.

Manual Uninstall:

  • Open the Android Menu
  • Go to Settings
  • Select Applications
  • Select Manage Applications
  • Select the infected application and click the Uninstall button

If your device does not have the option to reboot in safe mode you will need to restore your device to factory settings. There should also be an option to restore factory setting but do not wipe the SD card. Please note that all information will be lost when you restore your device to factory settings, this is one example of why it is important to regularly back up your device contents.

Android Malware Write-up By: James Green