Android ransomware encrypts local files, demands payment to restore phone

Security researchers have documented a new ransomware on Android, a trojan that supposedly encrypts data stored on your local storage and demands a ransom for them to be decrypted and used.   The Android/Simplocker malware is still in the proof-of-concept phase, but Robert Lipovsky, a malware researcher for antivirus firm Eset , documented it in a blog post. “The ransom message is written in Russian and the payment demanded in Ukrainian hryvnias, so it’s fair to assume that the threat is targeted against this region. This is not surprising, the very first Android SMS trojans (including Android/Fakeplayer) back in 2010 also originated from Russia and Ukraine.”   The message displayed on the device is incomprehensible unless you read Russian. Here it is:   [caption id=“attachment_225417” align=“alignnone” width=“640”] The ransom message in Russian (image: Eset)[/caption]   It roughly translates to: “Warning! Your phone is locked for viewing and distribution child pornography , zoophilia and other perversions. To unlock you need to pay 260 UAH.” It asks users to Select MoneXy as it is less easy to trace than usual credit cards and asks them to take a receipt, following which the device will be unlocked within 24 hours. “In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!” it warns.   The ransom of 260 Ukrainian hrvnias comes up to $21 roughly or around Rs 1200. The trojan uses AES to encrypt the following extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4, so users will pretty much be locked out for most common applications.   Dmitry Besthuzev, head of the Global Research and Analysis Team, Latin America at Kaspersky Lab told Tech2 last year that ransomware plays on the user’s fear of being exposed, even if they may not have surfed Web content that it claims they did. It’s about exploiting the basic shame factor into making people pay. Nobody wants to be accused of watching child porn or such objectionable content, which is how most criminals get away with it. “There’s no guarantee that the attacker will give back control of the device.” Ransomware on PCs usually come with some insignia pertaining to real law enforcement authorities and use broken language. This is deliberate as criminals prey on those connected users who have difficulty in reading and writing.   The malware analyzed by Eset was in an app called Sex xionix, which is not on the official Google Play Store, once again highlighting the risks associated with using third-party stores. Most Android devices come with support for Google Play, but there are those that don’t. Many Android devices in China and other forks of Android such as the Nokia X, use only third-party app stores, which are not necessarily well curated from a security point of view. These are particularly vulnerable to malware content.   A similar ransomware popped up on some iPhones last month. Some users reported their iDevices being remotely locked and a payment being demanded for them to be unlocked. It’s as yet unclear how exactly hackers got their hands on the remote locking feature.