ESET analyzes first Android file-encrypting, TOR-enabled ransomware

One year ago, Android Defender, a hybrid comprising characteristics of a rogue AV and ransomware (the lockscreen type, not a file-encryptor) was discovered. Last month we saw a report about a police ransomware for Android by the Reveton team. The malware did not encrypt any files on the infected device.

That, however, changed with the most recent discovery, last weekend. This Trojan, detected by ESET as Android/Simplocker, scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files. Let’s look at the malware in greater detail.

After launch, the Trojan will display the following ransom message and encrypt files in a separate thread in the background.

The ransom message is written in Russian and the payment demanded in Ukrainian Hryvnias, so it’s fair to assume that the threat is targeted against this region. This is not surprising, the very first Android SMS Trojans (including Android/Fakeplayer) back in 2010 also originated from Russia and Ukraine. The message roughly translates to:

WARNING your phone is locked!
The device is locked for viewing and distribution child pornography , zoophilia and other perversions.
To unlock you need to pay 260 UAH.
1. Locate the nearest payment kiosk.
2. Select MoneXy
3. Enter {REDACTED}.
4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!
After payment your device will be unlocked within 24 hours.
In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”

The malware directs the victim to pay using the MoneXy service for obvious reasons, as it is not as easily traceable as using a regular credit card. 260 UAH is roughly 16 EUR.

Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them using AES:

It will also contact its Command & Control server and send identifiable information from the device (like IMEI, et cetera). Interestingly, the C&C server is hosted on a TOR .onion domain for purposes of protection and anonymity.

There is no input field for a payment-confirming code of any kind, as we’ve seen in earlier examples of Windows ransomware. Instead, the malware listens to its C&C server for a command – probably issued after payment is received – to decrypt the files.

The sample we’ve analyzed is in the form of an application called “Sex xionix’. It was not found on Google Play and we estimate that its prevalence is very low at this time.

Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to “the infamous Cryptolocker” on Windows.

Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.

Instead we encourage users to protect themselves against these threats by prevention (by using our ESET Mobile Security for Android, for example and adhering to best security practices, such as keeping away from untrustworthy apps and app sources) and if they are unfortunate to already be infected to recover the files from a backup. Because when you have a backup, then any Filecoder Trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance.

Analyzed Sample SHA1: 808df267f38e095492ebd8aeb4b56671061b2f72

Author: Robert Lipovsky, Security Researcher at ESET.

Don't miss