Simplelocker Shows The Potential For Future Android Ransomware

If you have a computer at home then there is a very good chance that you have an antivirus program installed on it (its not completely dead yet you know), and if you run your own business then you likely have an enterprise security system in place, and you may even employ a team of information security professionals.

Why is that so?

Essentially it is to protect your data because every piece of information stored on your computer has a value.

It is easy to imagine how corporate data could have a financial value attached to it – wages were paid to create it, intellectual property has a value to competitors, and customer data has to be protected because the bad publicity and possible regulatory costs associated with a breach can be immense.

But home users also place value on their data too – holiday snaps and videos of the kids growing up may be irreplaceable and even downloading those Linux distros from a torrent site again will require electricity to power the computer, not to mention the time investment of finding them again.

Thats why cyber criminals have cottoned on to another money-making idea in recent years.

By using software known as ransomware, typically spread via infected email attachments or as a secondary infection on an already compromised machine, they are able to encrypt all the data on the infected machine. Once that operation is complete a message will pop up, demanding money to unlock the files, and threatening to delete them if payment is not forthcoming.

And in many cases the victims do pay up.

The encryption used by ransomware is strong enough that the likelihood of retrieving the locked up data without paying the demands is remote.

As much as a ransomware victim would like to tell the bad guy who locked their machine up to do one, the reality is that far too few people have a strategy of backing up their key data, meaning that there is often no other option than to pay. And that doesn’t just apply to home users – many businesses are paying to remove ransomware too.

The good news is that computer users everywhere have some respite from the worst offender, for a while at least.

The authorities recently disrupted the Gameover Zeus botnet which, amongst other things, has been known to install the Cryptolocker ransomware which typically trots up to your PC and says, “Stand and Deliver! Your $300 or your data.”

This action, it is said, opens up a two week opportunity for computer users everywhere to clean up their systems and remove Gameover and Cryptolocker (tips on doing just that here).

So all is rosy and you can go to bed tonight dreaming of a world in which ransomware doesn’t exist right?

No, not at all I’m afraid.

The thing is, you see, Cryptolocker is only the most well-known form of ransomware – there are plenty of other variants out there.

You can take action to minimise the risk of any other such ransomware finding its way onto your computers though. Brian Honan, who has far too much experience in the area, says:

  • Keep your software patched and up to date.
  • Employ reputable anti-virus software and keep it up to date.
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data.
  • Make staff and those who use your computers aware of the risks and how to work securely online.

So, follow Brian’s advice and all will be well?

Maybe not – we don’t live in a perfect world and people always make mistakes and criminals always come up with new and ingenious ways of tricking people into installing their crapware. But his advice will go a long way toward ensuring that your PCs are less at risk.

But…

It isn’t just traditional computers that are at risk from ransomware these days, as discovered by security vendor ESET.

The security firm yesterday confirmed the first case of encryption-based ransomware on an Android device. Dubbed Simplelocker, the mobile Trojan encrypts SD cards found on many Google-powered smart phones and tablets.

ESET report that the associated ransom demand –

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography , zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter {REDACTED}.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”

– is in Russian and that the payment demand requests Ukrainian currency (260 Hryvnia / 16 Euros), payable via a system where following the money would likely prove difficult, if not impossible.

Storagelocker

ESET says that Simplelocker can encrypt various types of file with AES, including:

  • jpeg
  • jpg
  • png
  • bmp
  • gif
  • pdf
  • doc
  • docx
  • txt
  • avi
  • mkv
  • 3gp
  • mp4

The company also noted that information about the compromised device, such as the IMEI number, would be uploaded to the Command and Control (C&C) server, presumably to help the controller ensure that the right data is released after payment is received.

Interestingly, the C&C server is hosted on the TOR network, making it hard to trace those behind it.

Whilst Simplelocker is rather limited at this time –

“Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to “the infamous Cryptolocker” on Windows.”

– it does show that cyber criminals are looking at the lucrative business of ransomware on platforms other than Windows and is, itself, an evolution from previous non-encrypting forms of ransomware such as Android Defender and Kafeine.

Therefore, it would be sensible to assume that ransomware on the Android platform could evolve into something far more threatening in the future (and lets not forget that iOS devices may not be immune either).

So what can you do to protect yourself from mobile ransomware?

As with the PC variant, the ruse works because data has value. Even though SD cards are cheap as chips, the data stored upon them may not be, so having a good backup plan in place would be a good start.

More than that though, you will want to limit the risk of ransomware getting onto your device in the first place by installing a mobile security app and avoiding third party app stores.

Michael Sutton, VP of security research at Zscaler said,

“With the success of ransomware on the PC, such as CryptoLocker, it was inevitable that ransomware would move to the mobile space. Just last month we saw the emergence of Koler on Android, which attempted to lock the user’s device and demand a ransom. This Trojan goes a step further by actually encrypting certain files. Fortunately, mobile devices are more restrictive in permitting application access to the file system and as a result, this Trojan is limited to encrypting only those files on an installed SD card. There is no doubt that ransomware will continue to evolve in the mobile space given the financial success that it has achieved in the PC realm.

The best advice for consumers is to avoid third party app stores. The vast majority of Andorid malware is found on stores outside of the official Google Play store, which does a reasonable job of automating malware detection and preventing malicious apps from ever being listed. Beyond that, users should ensure that regular and continual backups of device applications and data are available. This way, should ransomware ever be installed, they will always be able to recover the phone content.”

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind

*