Menu
Trojan app encrypts files on Android devices and asks for ransom

Trojan app encrypts files on Android devices and asks for ransom

It's the first Android ransomware threat with file-encrypting abilities, researchers from ESET said

The ransomware model is increasingly being adopted by cybercriminals who target mobile users, one of their latest creations being able to encrypt files stored on the SD memory cards of Android devices.

A new threat dubbed Android/Simplock.A was identified by researchers from antivirus firm ESET over the weekend and while it's not the first ransomware program for Android, it is the first one seen by the company that holds files hostage by encrypting them.

Other Android ransomware apps seen in the past, like Android Defender, found in June 2013, and Android.Koler, discovered in May, primarily used lockscreen techniques and persistent alerts to disrupt the normal operation of infected devices.

"Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them using AES [the Advanced Encryption Standard]," the ESET researchers said Wednesday in a blog post.

The malware will then display a ransom message in Russian asking for a payment of 260 Ukrainian Hryvnia (around US$21.40) to be made through a service called MoneXy, suggesting that, at least for now, this threat targets users in Russian-speaking countries.

Using encryption to hold files hostage is a technique made popular among malware writers by Cryptolocker, a Windows ransomware program that infected more than 250,000 computers during the last three months of 2013. The FBI and law enforcement agencies in other countries seized the command-and-control servers used by Cryptolocker as part of a recent operation that also disrupted the Gameover Zeus botnet.

"Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress -- for example, the implementation of the encryption doesn't come close to 'the infamous Cryptolocker' on Windows," the ESET researchers wrote.

The new threat masquerades as an application called "Sex xionix," but it wasn't found on Google Play and its distribution so far is most likely low.

Another interesting aspect of Simplock.A is that it uses a .onion command-and-control (C&C) domain address. The .onion pseudo-top-level domain is only used inside the Tor anonymity network for accessing so-called hidden services.

One installed on a device, the ransomware app sends device identifiable information like the unique International Mobile Station Equipment Identity (IMEI) number back to the C&C server and waits to receive a command to decrypt the files -- most likely after the payment has been confirmed.

"While the malware does contain functionality to decrypt the files, we strongly recommend against paying up -- not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them," the ESET researchers wrote.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securitymobile securityencryptionscamsesetdata protectionmalwarefraud

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments