2014 m. liepos 25 d., penktadienis
First Ransomware for Android OS Updated
ITWorld reports that ransomware known as Simplelocker has been recently updated to target more people and to be more functional in its attacks. Simplelocker is a malicious program that encrypts certain files on Android operating systems and demands money for decryption.
Simplelocker spreads primarily trough porn sites as a trojan. It infects computers by pretending to be a media player that has to be installed to play some videos. When it is installed, it performs its actual function, which is to encrypt user’s files. It also communicates with a command-and-control server through the Tor network for anonymity which makes it hard to trace the communication.
It was previously announced that Simplelocker is ‘the first true crypto-ransomware for android devices.’ There were programs that pretended to be encryption ransomware for Android before it; however Simplelocker was the first mobile payment virus for Android to actually encrypt user’s files. According to CM, Simplelocker itself is an evolved version of Cryptolocker, which is a trojan ransomware for MS Windows. The earlier version of Simplelocker could be considered to have been the test version or a proof-of-concept of ransomware for Android powered cellphones.
Previously, after getting into a computer, it would give its users ransom notes in Russian, thus reducing its reach to potential victims. The fact that it demanded its users to pay in Ukrainian currency suggests that it mostly targeted Android users from eastern Europe. This has changed in the new version: it now gives its users a message in English that is supposedly a note from the FBI. The message states that illegal pornographic material was found on the user’s device and that he must pay a fine of US$300. It also claims that the device would be unlocked only when the ransom is paid, however there is no certainty that this would actually happen, as Simplelocker does not have a built-in verification function.
Something else that is new in the updated version is that, while it used to lock only images and documents that are in the SD card in its previous version, it is now able to encrypt the user's back up files. It does this by locking archive files that Androids back-up tools create. This makes it much harder for users to restore the encrypted files.
It should be mentioned however, that Simplelocker is not hard to defeat. It was discovered that the program relies on a master key that is in the code itself, which makes it easy to dig it out. This is one of the features of the android ransomware that has not changed in the updated version. More tech-savvy users can do this manually by themselves, while those who are not that knowledgeable in this field can ask for the help of a web security company to get the decryption key.