This article is more than 1 year old
Android ransomware demands 12x more cash, targets English-speakers
FBI child-abuse warning shake-down gets more sophisticated
Cybercrooks have further refined a strain of file-infecting ransomware that infects Android smartphones so that it targets English speakers and is more difficult to remove.
The newest variant of Android/Simplocker displays the ransom note in English and asks for a higher ransom of $300. The latest version also encrypts a wider range of file types and is more difficult to uninstall from devices than previous versions of Simplocker, which first surfaced in late May.
Previous versions contained a ransom message is written in Russian, with payment demanded in Ukrainian hryvnias. As before victims are falsely accused of "viewing and distributing child pornography, zoophilia and other perversions", and misleadingly informed that their device has been locked-down as a result of their perverse viewing habits.
The police ransomware poses as a Flash video player, a feature akin to that found in previous versions, which circumstantial evidence suggested offer a smut viewing-utility.
Previously, the malware extorted an "unlock fee" of 260 UAH ($21), so the crooks behind the latest incarnation of the scam are a lot greedier and perhaps more confident than before. The ransomware fee now demanded is on par with that extorted by the infamous Windows PC-infecting CryptoLocker ransomware. Pay-off are via a MoneyPak voucher as opposed to the hard-to-trace MoneXy eWallet service previously used.
The silver lining is that infections rates for the latest variant of the malware are low. "Our Android/Simplocker detection statistics don’t indicate the threat to be widespread in English-speaking countries," according to anti-malware firm ESET.
Security researchers at ESET described early versions as a proof-of-concept nasty. The latest version is still fairly basic from a cryptographic perspective but it's been modified to encrypt archive files, a tweak that makes life far harder for victims.
"From a technical perspective, the file-encrypting functionality remains virtually unchanged, apart from using a different encryption key, but this recent Simplocker variant does contain two additional tricks to make the victim’s life more miserable," Robert Lipovsky, a malware researcher at ESET, explains in a blog post.
"In addition to encrypting documents, images and videos on the device’s SD card, the trojan now also encrypts archive files: ZIP, 7z and RAR. This 'upgrade' can have very unpleasant consequences. Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files. In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well," Lipovsky warns.
In addition, the malware now asks to be installed as Device Administrator, making it a lot more difficult to remove.
Although still not especially advanced Simplocker is the next step from screen-locking ransomware called Android FakeDefender, which was discovered by Symantec a year ago;. Android Defender can be exorcised by booting a device into safe mode, whereas getting rid of Simplocker is more difficult but still possible.
ESET, for example, has released a Simplocker Decryptor utility. No such tool is possible for CryptoLocker victims, thanks to the use of stronger cryptography schemes. ®