“A new, improved variant of the Android Simplocker ransomware is lurking on third-party app stores.
“We estimate that tens of thousands of devices have been infected. We have evidence that users have already paid hundreds of thousands of dollars to get their files unencrypted, and the actual infection rate may be much higher,” Ofer Caspi from CheckPoint’s malware research team warns.
Masquerading as a legitimate video/Flash Player application, it requests admin permissions after installation. Once it gains them, it contacts the C&C server, gets the encryption key from it, and encrypts the files on the device.
Finally, it shows a fake message, apparently coming from the US NSA, claiming that they user has been doing illegal things (such as violating copyrights laws), and demanding that he pays a fine to get his device unblocked and his files decrypted:
These particular scheme has been very successful so far, as the communication between the malware and its C&C server is not easily prevented.
Most ransomware uses the HTTP/S protocol to communicate with their C&C servers, and that type of traffic can be obstructed by blocking access to the URL address or static IP of the server.
But this ransomware uses the XMPP protocol to contact the control server, and this type of traffic is not that easily blocked, nor it the malicious part of it easily spotted.
“Furthermore, as this technique uses external library functions to handle the communication, the malware does not require any additional application to be installed on the device. As XMPP supports TLS, the communication between the client and the server is also natively encrypted,” Caspi pointed out.
Nevertheless, they managed to decrypt and analyze hundreds of thousands messages exchanged between the infected devices and the C&C servers, and discovered that tens of thousands of devices infected with this malware.
“We also observed that ~10% of the users paid between $200 and $500 in ransom to decrypt their files. This means that for every 10k infections, the malware authors raked in $200k-$500k,” he commented. “While these numbers are stunning, this might just be the tip of the iceberg, as our dataset is incomplete and the actual infection rate is probably much higher.”
The majority of victims are located in the US, and a smaller number in Asia and Europe.
The researchers have informed relevant XMPP server operators of the campaign, and the latter have moved to suspend the XMPP C&C accounts used by the crooks.
Unfortunately, new samples of the malware are popping up and other accounts are being set up daily.
Users who fall victim to this scheme are advised not to pay the ransom and to seek help from experts because the malware can’t be easily uninstalled by tech-unsavvy users. Of course, the encrypted files will be lost, but hopefully this will spur them to perform device backup more often.”