Malware that encrypts Android phones using FBI child-abuse warnings to scare victims into paying $300

Security researchers from ESET® have uncovered a new, even more dangerous version of Simplocker – the Android file-encrypting ransomware that was discovered a month ago by ESET.

The new version of the file-encrypting malware, detected by ESET as Android/Simplocker.Icontains some notable improvements. This time it displays the ransom note in English – the previous version was targeting mainly Ukraine and Russia – and also asks for a higher ransom, 300 US Dollars to be exact. In comparison to the previous version, it also encrypts a wider range of file types and is more difficult to uninstall from devices.

Last time we wrote about Android/Simplocker – the first ransomware for Android that actually encrypts user files – we discussed different variants of the malware and various distribution vectors that we’ve observed. What initially appeared as just a proof-of-concept mainly because of Simplocker’s “not-exactly-NSA-grade” crypto implementation has proven to be an actual threat in-the-wild in spite of its weaknesses. Also, the malware has been available for sale on underground forums.

Last week we spotted a variant of the ransomware that featured a few significant improvements.

Simplocker

The first change that meets the eye in Android/Simplocker.I is that the ransom message is now in English rather than Russian. The victim is led to believe that the device was blocked by the FBI after detecting illegal activity – child pornography and so on – typical behavior of police ransomware that we’ve seen many times before. The demanded ransom is now 300 USD and the victim is instructed to pay it by a MoneyPak voucher. Like other previous Android/Simplocker variants, this one also uses the scareware tactic of displaying the camera feed from the device.

From a technical perspective, the file-encrypting functionality remains virtually unchanged, apart from using a different encryption key, but this recent Simplocker variant does contain two additional tricks to make the victim’s life more miserable.

In addition to encrypting documents, images and videos on the device’s SD card, the trojan now also encrypts archive files: ZIP, 7z and RAR. This ‘upgrade’ can have very unpleasant consequences. Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files. In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well.

Secondly, the malware now asks to be installed as Device Administrator, which makes it a lot more difficult to remove.

1

As usual, the trojan will use social engineering to trick the user into installing it – in the screenshot above, it’s masquerading as a Flash video player.

Our Android/Simplocker detection statistics until today don’t indicate the threat to be widespread in English-speaking countries.

In case your files have been encrypted as a result of an Android/Simplocker infection, you can use the updated ESET Simplocker Decryptor to restore them. But as always, we recommend focusing on prevention ;) Also, while you should be careful when installing any application on your device, be extra careful when the installed application asks for Device Administrator rights.

 

How to hack someone’s account? Ask them for their password!

ESET Ireland has been following a surge of phishing emails redirecting users to faked banking, PayPal and Microsoft account sites for harvesting login details.

Although a surprisingly large number of people still use passwords like “12345” or “password” for their various accounts, cybercriminals have taken an easier route than trying to hack into peoples’ accounts. “Ask and you shall receive” seems to be their motto, so they send out emails that pretend to be coming from legitimate sites, notify the user of some unusual activity, and ask them to confirm or deny that activity by “signing into the service”. Except that the service in question isn’t actually there, but a faked site instead, which diligently logs all usernames and passwords entered and delivers them to the happy scammers.

In the past weeks, ESET Ireland has received several different emails of the same nature, and here are some examples:

1. Bank of Ireland

An email purporting to come from Bank of Ireland, claiming your account requires and update and providing a fake link “Click here to complete update”. The email has some bad spelling errors which give it away.

Fake Bank of Ireland email

Fake Bank of Ireland email

 

2. iTunes

An email pretending to be from iTunes, thanking you for purchasing “World Of Go” for €9.65 , then adding “If you did not authorize this purchase, please visit the iTunes Payment Cancellation Form within the next 12 hours in order to cancel the payment,” which requires you to “log in” to the fake iTunes site.

Nice of them to respect our privacy, eh?

Nice of them to respect our privacy, eh?

 

3. PayPal

An email looking like a detailed payment receipt, mimicking PayPal, with all the usual PayPal visual clues, claiming you paid $208.00 USD to Agoda Company online hotel booking site, adding “If you haven’t authorized this charge, click the link below to dispute transaction and get full refund – Dispute transaction (Encrypted Link).” The link, of course, isn’t encrypted and simply leads to a PayPal lookalike login harvesting site.

paypal1

Fake link in “Encrypted link”

kkk

“expert-italia.it” address instead of “PayPal

 

4. Microsoft

An email abusing Microsoft’s name, with the subject line “Microsoft account unusual sign-in activity” that claims they detected unusual sign-in activity into your account, supposedly from South Africa, which is meant to make people suspicious, then offering a solution “If you’re not sure this was you, a malicious user might have your password. Please Verify Your Account and we’ll help you take corrective action.” Of course the only action they’ll be taking is signing into your account with the login details you just provided.

Legitimate looking email.

Legitimate looking email.

“yazarlarparlamentosu.org” instead of “Microsoft Corporation”

“yazarlarparlamentosu.org” instead of “Microsoft Corporation”

hhh

Actual Microsoft account log in

 

What should you do?

First of all, stay informed. The scams you know about are less likely to catch you off guard. We regularly keep you updated on our blog here or on ESET’s We Live Security.

Read such mails carefully, checking for clues. If the email had spelling errors or used poor language it is likely faked. A lot of the scammers come from countries where English is not their first language and they give themselves away. Also goes for similar scams as Gaeilge, where they likely used Google translate to try to fool native Irish speakers.

Do not click on links in emails. Even if you do have a Microsoft account and are alarmed by such an email, open your browser and go to Microsoft site directly. Also make sure the website’s address looks correct. In the case of the faked Microsoft one above, the website address read “yazarlarparlamentosu.org”, which is clearly not “Microsoft”

If you suspect you may have fallen for one of these tricks, change your passwords. To be sure, change them in regular intervals anyway.

If the email you received looks like it’s coming from your bank, pick up the phone and ring them instead of just clicking. They’re accustomed to scams like these and will advise you appropriately.

Think before you click and enjoy safer technology!

 

by Urban Schrott, ESET Ireland

Holiday phishing in the holiday season

ESET Ireland advises caution when receiving holidays-related emails, messages and SMS texts as they could be phishing scams.

In the IT security world we have gotten accustomed to many seasonal or event-related scams. There are the usual suspects, the Valentine’s Day scams, St.Patrick’s Day scams, various disaster scams, currently active World Cup scams and then there is the holiday classic – the stranded tourist.

As the cybercriminals are always adapting, they’re trying many ways to convince their potential victims, the messages are genuine. For targeting Irish users, they have sometimes used mails as Gaeilge, but more commonly just use Irish sounding names. The latest such email we have been receiving in large quantities reads:

ber1

Ignore it! Do not reply to it, even to insult or mock the sender, as that will just confirm to them your email address is a valid one and it will start receiving more and more elaborate scams. If you ever receive any such, from emails or mobiles of people you actually know, consider that their emails could have been hacked or mobiles stolen. Always ring them first and talk to them, before taking any other action. Enjoy safer technology.

Phishing emails and how to avoid them

Phishing emails are popular amongst Cyber Criminals who are looking to steal your personal information. Protecting your data is essential and by following these simple steps from We Live Security your information will stay secure.

Michael Schumacher dead? No, just the latest sick Facebook scam

Facebook fraudsters use fake news of F1 star’s death to direct users to scam websites

Scammers and fraudsters think nothing of scraping the barrel of bad taste, if they believe it will help them earn a few dollars. Take the latest scam spreading on Facebook, for instance, which claims that Formula 1 racing driving star Michael Schumacher has died.

Scam Facebook post

In case you’re not aware, almost six months ago the motor racing legend suffered a severe head injury in a skiing accident, which saw him – until very recently – placed in a medically induced coma. Now, scammers are saying he has died. And, sadly, ghoulish Facebook users are helping for the scam to spread – by clicking on the link.

Cold-hearted scammers are trying to drive traffic to their faked webpages, because if you share the link with your friends you are helping them generate traffic to their site. And the more people who attempt to watch the video, the more money they will make.

Share this scam...

Oh, and by the way, as Schumacher hasn’t died – you’re not going to see a news report claiming that he has. Instead, you will be taken to a webpage which pays a small amount of affiliate cash to the scammers, helping to fill their coffers.

If you made the mistake of clicking on a link like this, make sure that you did not share it with your friends and delete any strange posts from your Facebook newsfeed. Remember to warn your online friends to be wary of similar scams, and to always think twice before sharing links.

You would imagine that Schumacher’s friends and family have suffered enough, without scammers, fraudsters and thieves attempting to profit from his critical condition.

by Graham Cluley, We Live Security

Simplocker ransomware: Now spread by Android apps

ESET recently discovered ransomware malware which targets Android smartphones. The cybercriminals are hard at work developing the threat further

simplockerAs mentioned in our previous posts, the threat is mostly concentrated in Ukraine and Russia. While the malware may display traits of a proof-of-concept, it is indeed spreading in the wild and can cause headaches for infected users. Since our initial discovery of Android/Simplocker we have observed several different variants. They target different domains, use different nag screens and demand payment in different currencies. Some even display a “we know who you are” photo of the victim taken with the phone’s camera to increase the scareware factor.

How can it get into a victim’s device?
ESET’s telemetry has indicated several infection vectors used by Android/Simplocker. The “typical” ones revolve around internet pornography – some malicious apps pretended to be an adult video, an app for viewing adult videos, etc. – or popular games like Grand Theft Auto: San Andreas, and so on. We have, however, noticed a different dissemination trick that’s worth mentioning – the use of a trojan-downloader component. Using trojan-downloaders to “dynamically” download additional malware into an infected system is common practice in the Windows malware world – and while this is not the first case we’ve seen – it is still noteworthy on Android. Using a trojan-downloader is a somewhat different strategy for smuggling malware into an Android device, compared to traditional social engineering (e.g. by using pornography, as in the example above) or more sophisticated techniques relying on exploitation of software vulnerabilities.

For more advice on keeping your mobile safe from Simplocker ransomware, see our blog post.

Domino’s Pizza hacked: Change your toppings at once!

rex

Apparently, hackers have gained access to 600,000 Domino’s Pizza customer details, including their favourite toppings. ESET Ireland advises users to change their pizza toppings selection to stay safe.

I am otherwise a rational and sensible cybersecurity analyst, but I draw the line when someone messes with my food. And the hackers behind this latest attack did just that. In a bid to extort money from Domino’s Pizza, they threatened to publically post detailed info of 600,000 customers, including their favourite pizza toppings unless they’re paid a ransom of €30,000. The hackers aimed at possible lawsuits against the pizza company for breach of privacy, but a representative of Domino’s said the ransom will not be paid and that the customers’ financial data and credit cards were not compromised in the attack.

The servers attacked mainly contained customer info from France and Belgium so Irish users shouldn’t be affected, but just to be sure, ESET Ireland recommends you change your toppings selection, so it doesn’t coincide with the one the hackers may have, so you will not be offered a fake pizza by them. Ok, we’re joking here. But only a bit. Because in the age of targeted attacks, so called spear-phishing, it is not uncommon practice among cybercriminals to gather as much data on anyone they can, including such details as food preference, then prepare a targeted scam which uses bits of this data to convince the victim it’s legit. Imagine an average Joe receiving an email from someone pretending to be Domino’s and saying “Hi Joe, you ordered extra anchovies in your last three orders with us and we want to give you a prize for being a regular customer. Click here and fill in the form to claim your prize.” Even though the sender and email would be fake, the victim would recognise they did in fact order extra anchovies and would consider the offer real and would likely click on the link. This could in turn infect their computer with malware, demand they enter their banking details to receive the prize, or any other wicked thing cybercriminals do.

Apart from changing your toppings, at least for a while, ESET Ireland therefore seriously advises you are careful with the personal data you share with companies and services you deal with. Know that, as in the case of this hack, if the data falls into the wrong hands, it can be used against you. Only disclose the minimum of necessary info and if you receive any suspicious email, claiming reference to some real info about you, double check if it is legitimate, before you do anything it’s asking you to do. When unsure, just ring the company in question and check.

by Urban Schrott, ESET Ireland

World Cup scams: team tactics to keep you safe

ball

With the World Cup in Brazil poised to begin, the whole world is watching – and that includes cybercriminals.

ESET is following a wave of phishing campaigns, fake “prize draws” and other classic fraud tactics – and the hacks have extended far beyond the boundaries of Brazil itself, as this story about England players’ details leaking on Twitter illustrates.

But just as there are tried-and-tested tactics to help a team fight its way through the World Cup, there are a few neat dodges in information security which will help you steer clear of World Cup scams.

Understand your opponent
Most of the early phishing campaigns targeting the World Cup offered the same thing – the chance to attend games. It’s a classic phishing scam: take advantage of the buzz. For cybercriminals the sheer size of the World Cup event, and the number of users interested, is an irresistible lure. No doubt World Cup scams will continue right through the competition – ranging from unbelievable deals on new televisions, to raffles for tickets spread via fake sites, fake links on social sites, and of course, fake “new friends” on such sites.

Play defensively
Look at the current state of play and ensure there’s the biggest possible number of defenders between the goal (your private data) and the opponent (cybercrime gangs). Tempting offers such as cheap LCD televisions or sweepstakes offering flights and accommodation for the full event will be one of the tricks deployed by your opponent – but behind each tempting offer could lurk a fraudulent website. At that point, if you click, it’s like putting your opponent face-to-face with your keeper – the full responsibility of keeping your PC safe falls on just a few factors: your settings and your antivirus software.

Don’t pass too openly
Just as a team can leave itself open to attack, you have to change your tactics online to ensure your personal information remains safe. Treat any World Cup-related site with suspicion – particularly ones that ask for personal information. Even sites which are not asking for card/banking details can still be scams – be extra cautious about everything from your home address to your email, as these can be the building blocks for identity theft attacks.

Don’t trust rumors
When you see a truly unbelievable world cup news story spreading, don’t click – it’s probably unbelievable because it’s untrue. ESET has seen World Cup scams circulating on networks such as Facebook, relating to everything from player injuries to intimate videos of players with their other halves. False news stories are a classic cybercriminal tactic – and when the world is watching one big story, you can bet that fake news links will spread on social networks, leading unwary web users to fraudulent surveys – or worse, sites infected with malware.

When the game’s over the game’s over
Be very, very wary of any site that’s not FIFA’s official website for last-minute tickets – not only are there scam sites aplenty, there are touts and other scam merchants offering World Cup tickets (which might well be fake) at exorbitant prices. FIFA’s own warnings about World Cup ticket scams offer a sensible way to cool off your desire – there’s often no such thing as a “dream ticket”, just an awful lot of scams.

Listen to the team captain
When you’re browsing for World Cup news, don’t blindly follow the first link you see – go to a news site you trust and start from there, or download one of the official news site apps (or FIFA’s own) to stay up to date with the latest results. If it’s a news site you’ve never heard of before, odds are there’s a very good reason for that – it isn’t a news site, it’s a scam.

by Gastón Charkiewicz, ESET

Android threats: how to keep your mobile safe from filecoders (and everything else)

When ESET researchers analysed the first file-encrypting Trojan to demand a ransom from Android users it was anticipated. The malware Android/Simplocker, available as a bogus app, seems at present to be a proof-of-concept but it’s only a matter of time before it’s ready for mass release.

In ESET’s Threat Trends Report predictions for this year, ESET experts warned of an escalating increase in serious threats targeting Android phones and tablets – ESET detections of such malware increased more than 60% between 2012 and 2013, which is a trend predicted to continue in 2014.

Thankfully, most of these threats can be avoided by sensible use of your device. At ESET Ireland we encourage users to protect themselves against these threats using prevention and defensive measures. Adhering to security best practices, such as keeping away from untrustworthy apps and app sources, will reduce your risks.

Install ALL apps from Google Play or other known app stores unless you have a good reason not to
There are good reasons to install apps from outside Google’s Play Store (or other big-brand stores such as Amazon’s) – for instance, if your employer requires you to install a messaging app for work. Otherwise, don’t.

Third-party stores, particularly those offering big-name apps for free are generally infested with malware, and downloading apps from them is a good way to get infected.
If you HAVE to install a file from an unknown source, ensure your device is set to automatically block such installations afterwards.

Don’t assume you’re safer on your Android than on your PC
Stay alert and don’t fall for common social engineering tricks. Links, downloads and attachments can be just as risky on Android as they can on PC.

If possible, don’t use any old ‘Droid
In an ideal world, you should use a new phone, running the latest version of Android – KitKat. Older versions are less secure – and your operator may not issue an upgrade for your handset, even if Google does. The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version which makes them more vulnerable.

Ensure you are running the latest update of Android available for your device
Updates from Google should be available OTA (over the air) – and on newer phones, you should be able to set your phone to auto-update (with a restriction to do so via Wi-Fi rather than cellular networks).

Do the basics – lock your phone
If you own the very latest handsets such as Samsung or HTC’s flagships, you might have the luxury of locking your phone with up to three fingerprints using a built-in scanner- but if not, there’s no excuse for not locking it with either a  PIN, or, ideally a password.

Don’t keep your valuables on your device
If you keep current backups of all your devices then any ransomware or Filecoder trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance. Backup your phone when possible – either manually, by connecting to a PC, or by using your manufacturer’s auto-backup.http://static1.esetstatic.com/fileadmin/Images/INT/Images/Product/Screenshots/Home/EMS-3-android/ems-screen.png

Inspect every app’s permissions before
When installing an Android app, you will see a list of “Permissions” – functions the app is allowed to access. Permissions such as “Full network access” or the ability to send and receive SMSs should make you think hard about installing the app!

Use a mobile security app
Android malware used to be dismissed as a myth – or largely an annoyance designed to run up bills via premium SMS messages. The discovery of PC-like malware such as Android/Simplocker shows just how fast malware is evolving for Google’s devices – and how like its PC cousins it’s becoming. A regular malware scan of your device is recommended regularly and automatically.

Use Google’s own defenses to the full
Google offers a pretty decent selection of security features built in – including a location tracker, which can help find a lost device.

Never pay a ransomware author
While the implementation of the encryption in Android/Simplocker is clumsy compared to notorious PC malware such as Cryptolocker, it can still effectively destroy files. ESET Ireland advises that the one thing users must not do is pay up. That will only motivate other malware authors to continue these kinds of filthy operations, but there is also no guarantee that the crook will keep their part of the deal and actually decrypt locked files.

by Urban Schrott, ESET Ireland and
Rob Waugh, ESET

Filecoder for Android? ESET catches Trojan that can encrypt your mobile

Simplocker_Infographic_CTA

ESET experts have caught the first example of an Android mobile Trojan, which they named Android/Simplocker. Similar in nature to the Filecoder/Cryptolocker that’s been increasingly plaguing PCs in the past year, this malware, after setting foot on an Android device, scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files.

After launch, the trojan will display the following ransom message and encrypt files in a separate thread in the background:

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography, zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter {REDACTED}.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”

The malware, just like the very first Android SMS trojans (including Android/Fakeplayer) back in 2010, originates from Ukraine and Russia, and it directs the victim to pay 260 Ukrainian Hryvnias (approximately €16) using the MoneXy service, which is not as easily traceable as using a regular credit card.

Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them. It will also contact its Command & Control server and send identifiable information from the device.

Files encrypted by Android/Simplock.A

The sample we’ve analysed is in the form of an application called ‘Sex xionix’, but as it was currently not yet found on the official Google Play, we estimate that its prevalence is rather low at this time.

Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress. Nevertheless, the malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of operations, but also because there is no guarantee that the cybercriminals actually decrypt the files at all.

We encourage users to protect themselves against these threats (ESET Mobile Security for Android recognizes and neutralizes this threat) and adhering to best security practices, such as keeping away from untrustworthy apps and app sources and if they are unfortunate to already be infected, to recover the files from a backup. If you have made a backup, then any Filecoder trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance.

by Urban Schrott, ESET Ireland and
Marek Luptak, ESET

 

 

Follow

Get every new post delivered to your Inbox.

Join 72 other followers