Simplocker, the first Android ransomware that actually encrypts files located on the device, has begun to target English-speaking users, ESET researchers warn.
The initial version of the malware was intended to scare Russian and Ukrainian users into parting with 260 Ukrainian Hryvnias (around $21) by locking the infected device and claiming that it was locked “for viewing and distribution child pornography, zoophilia and other perversions.”
This latest version shows a similar (fake) message sporting the FBI logo, repeating the aforementioned claims, and asks users to pay a fine in the amount of $300 (via MoneyPak voucher) in order to get their device unblocked and their files decrypted. It also displays the camera feed from the device in order to make it seem that the authorities know how the user looks like:
“From a technical perspective, the file-encrypting functionality remains virtually unchanged, apart from using a different encryption key, but this recent Simplocker variant does contain two additional tricks to make the victim’s life more miserable,” notes researcher Robert Lipovsky.
For one, the files this variant encrypts include also archive files (ZIP, 7z and RAR), and as many Android file backup tools store the backups as archive files, this means that backups will also be encrypted.
Secondly, the malware asks to be installed as Device Administrator, so that it is more difficult for the user to delete it. Revoking the application’s Device Administrator rights before uninstalling it is rather difficult to do when the ransomware has locked your screen, Lipovsky pointed out.
This Simplocker variant apparently masquerades as a Flash video player, and the good news is that it’s currently not very widespread. But that doesn’t mean that it won’t be, so users are urged to be careful when installing applications on their device.
If you have already fallen for the scam, you can use the company’s Simplocker Decryptor tool to restore the encrypted files – chances are you won’t be getting any help from the scammers on that front even if you paid the “fine.”