Simplocker ransomware: Now spread by Android apps

ESET recently discovered ransomware malware which targets Android smartphones. The cybercriminals are hard at work developing the threat further

simplockerAs mentioned in our previous posts, the threat is mostly concentrated in Ukraine and Russia. While the malware may display traits of a proof-of-concept, it is indeed spreading in the wild and can cause headaches for infected users. Since our initial discovery of Android/Simplocker we have observed several different variants. They target different domains, use different nag screens and demand payment in different currencies. Some even display a “we know who you are” photo of the victim taken with the phone’s camera to increase the scareware factor.

How can it get into a victim’s device?
ESET’s telemetry has indicated several infection vectors used by Android/Simplocker. The “typical” ones revolve around internet pornography – some malicious apps pretended to be an adult video, an app for viewing adult videos, etc. – or popular games like Grand Theft Auto: San Andreas, and so on. We have, however, noticed a different dissemination trick that’s worth mentioning – the use of a trojan-downloader component. Using trojan-downloaders to “dynamically” download additional malware into an infected system is common practice in the Windows malware world – and while this is not the first case we’ve seen – it is still noteworthy on Android. Using a trojan-downloader is a somewhat different strategy for smuggling malware into an Android device, compared to traditional social engineering (e.g. by using pornography, as in the example above) or more sophisticated techniques relying on exploitation of software vulnerabilities.

For more advice on keeping your mobile safe from Simplocker ransomware, see our blog post.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s