Saturday, 21 June 2014

Simplocker ransomware: Now spread by Android apps

ESET recently discovered ransomware malware which targets Android smartphones. The cybercriminals are hard at work developing the threat further.

As mentioned in our previous posts, the threat is mostly concentrated in Ukraine and Russia. While the malware may display traits of a proof-of-concept, it is indeed spreading in the wild and can cause headaches for infected users. Sinceour initial discovery of Android/Simplocker we have observed several different variants. They target different domains, use different nag screens and demand payment in different currencies. Some even display a “we know who you are” photo of the victim taken with the phone’s camera to increase the scareware factor.

How can it get into a victim’s device?
ESET’s telemetry has indicated several infection vectors used by Android/Simplocker. The “typical” ones revolve around internet pornography – some malicious apps pretended to be an adult video, an app for viewing adult videos, etc. – or popular games like Grand Theft Auto: San Andreas, and so on. We have, however, noticed a different dissemination trick that’s worth mentioning – the use of a trojan-downloader component. Using trojan-downloaders to “dynamically” download additional malware into an infected system is common practice in the Windows malware world – and while this is not the first case we’ve seen – it is still noteworthy on Android. Using a trojan-downloader is a somewhat different strategy for smuggling malware into an Android device, compared to traditional social engineering (e.g. by using pornography, as in the example above) or more sophisticated techniques relying on exploitation of software vulnerabilities.

For more advice on keeping your mobile safe from Simplocker ransomware, see ESET Ireland's blog post.