Android malware encrypts files on SD card, demands ransom payment

James Delahunty
4 Jun 2014 15:04

ESET has identified the first form of ransonware for Android that actually encrypts personal files on the device's memory card and won't decrypt them unless a ransom is paid.
Previous forms of ransomware found to affect Android devices typically used lockscreens or other methods (such as making it impossible to launch apps) to force a user into a payment. This one is more insidious because it actually encrypts files on the devices, specifically files with the extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4. The image with this article shows files in Total Commander that have been encrypted by the malware.
The app is in Russian and is likely only affecting a very small number of devices in that region. It demands payment in Ukrainian hryvnias (260 UAH, roughly $21, €16) using Ukraine's MoneXy payment service. When it finds its way to an Android device, it prompts the following message in Russian:

WARNING your phone is locked!
The device is locked for viewing and distribution child pornography , zoophilia and other perversions.
To unlock you need to pay 260 UAH.
1. Locate the nearest payment kiosk.
2. Select MoneXy
3. Enter {REDACTED}.
4. Make deposit of 260 Hryvnia, and then press pay.
Do not forget to take a receipt!
After payment your device will be unlocked within 24 hours.
In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!"

The malware communicates with a command & control server, which is actually a Hidden Service on the TOR network, making it difficult for authorities to unmask its location on the Internet. It does provide means for a user to enter a payment code or anything like that which has been previously seen, instead it appears to wait for remote instruction to decrypt files.
ESET identifies the malicious software as Android/Simplock.A. It strongly advises users affected by this, and similar malicious apps, NOT to pay the ransom fee. By paying the fee, you encourage more malware of this kind and there is no guarantee the criminals will keep up their end of the scam.
To avoid Android malware like this, always make sure to get your apps from authorized sources like Google Play or the Amazon Store. Make sure to keep apps and Android as up to date as possible.
Ransomware has been in the headlines this week after a US-led effort targeted the Gameover ZeuS trojan/botnet and the Cryptolocker ransonware, which encrypts victim's files on their PCs and demands a random of 1 Bitcoin, which currently could cost around $600 to acquire.

Sources and Recommended Reading:
ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware: www.welivesecurity.com (by Robert Lipovsky)