Java program to reverse Android ransomware damage

University of Sussex student Simon Bell has reverse-engineered the Android Simplocker (Simplelocker) ransomware, and has created a Java program that can be converted into an Android app to decrypt the files encrypted by the malware.

Simplocker was first spotted and analyzed by ESET researchers earlier this month.

The malware scans the SD card for certain file types, encrypts them using AES, and demands a ransom in order to decrypt the files.

“Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to ‘the infamous Cryptolocker’ on Windows,” the researchers pointed out at the time, and advised against paying the ransom, as there is no guarantee the crooks will keep their part of the bargain and decrypt the files upon receiving the money.

According to Bell, the creators of the malware didn’t use code obfuscation techniques, which allowed him to dissect it easily.

“The antidote for this ransomware was incredibly easy to create because the ransomware came with both the decryption method and the decryption password. Therefore producing an antidote was more of a copy-and-paste job than anything,” he noted.

“It’s also worth noting that while this antidote doesn’t detect the decryption password automatically, it could be possible to do so. However, future versions of the ransomware will probably not reveal the decryption password so easily and will likely receive it from the C&C server,” he concluded, adding that future versions of this and other ransomware will likely prove significantly harder to reverse-engineer.