Mobile crypto-ransomware Simplocker has evolved, and returning the encrypted files to their unencrypted state is no longer easy as it was.
First spotted in June 2014, Simplocker was the first Android ransomware that actually encrypted files. The initial version targeted both Russian and Ukrainian users, and a month later a version aimed at English speaking users popped up.
The initial version used a unique encryption key for all victims, which allowed Avast to create a free removal tool for the unfortunate victims to use.
But that ship has now sailed, as Simplocker developers have upped the ante and the latest variant of the malware now encrypts files with a different key on each device.
According to Nikolaos Chrysaidos, Avast Android malware and security analyst, this new variant has already infected more than 5,000 unique users. They have been tricked into installing the malware by malicious ads on shady sites, as it poses as a Flash Player app.
“Once installed, a ‘Flash Player’ app icon appears on the device and when it is opened the ‘Flash Player’ requests the user grant it administrator rights, which is when the trouble really begins,” Chrysaidos explains.
“As soon as the app is granted administrator rights, the malware uses social engineering to deceive the user into paying ransom to unlock the device and decrypt the files it encrypted. The app claims to be the FBI, warning the user that they have found suspicious files, violating copyright laws demanding the user pay a $200 fine to decrypt their files.”
Apart from encrypting files ans asking for ransom, the malware also sends the following data to its C&C server: BUILD_ID, AFFILIATE_ID, IMEI, OS, OperatorName, PhoneNumber, and Country.
Even though there is currently no software solution to revert the encryption and remove the malware, Chrysaidos advises users not to pay the ransom.
“If you have been infected by this new strain of Simplocker, back up the encrypted files by connecting your smartphone to your computer. This will not harm your computer, but you may have to wait until a solution to decrypt these files has been found. Then boot your phone into safe mode, go into the administrator settings and remove the malicious app and uninstall the app from the application manager,” he says.
In addition to this, you might want to change your device’s settings to prevent the downloading of apps from unknown sources. Google Play is not a malware-free zone, but it’s eons better on keeping malware out than third-party Android app marketplaces. This move will also block attacks like this one.