Monday, 4 August 2014

Malware that encrypts Android phones uses FBI warnings to scare victims into paying ransom


Security researchers from ESET have uncovered a new, even more dangerous version of Simplocker – the Android file-encrypting ransomware that was discovered a month ago by ESET, this time using FBI's name to scare people into paying.

The new version of the file-encrypting malware, detected by ESET as Android/Simplocker.I contains some notable improvements. This time it displays the ransom note in English - the previous version was targeting mainly Ukraine and Russia – and also asks for a higher ransom, 300 US Dollars to be exact. In comparison to the previous version, it also encrypts a wider range of file types and is more difficult to uninstall from devices.

The victim is led to believe that the device was blocked by the FBI after detecting illegal activity – child pornography and so on – typical behaviour of police ransomware that we’ve seen many times before. The demanded ransom is now $300 US and the victim is instructed to pay it by a MoneyPak voucher. Like other previous Android/Simplocker variants, this one also uses the scareware tactic of displaying the camera feed from the device.

In addition to encrypting documents, images and videos on the device’s SD card, the trojan now also encrypts archive files: ZIP, 7z and RAR. This ‘upgrade’ can have very unpleasant consequences. Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files. In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well. The malware now also asks to be installed as Device Administrator, which makes it a lot more difficult to remove. As usual, the trojan will use social engineering to trick the user into installing it – masquerading as a Flash video player.

In case your files have been encrypted as a result of an Android/Simplocker infection, you can use the updated ESET Simplocker Decryptor to restore them. But as always, we recommend focusing on prevention. Also, while you should be careful when installing any application on your device, be extra careful when the installed application asks for Device Administrator rights.