Android ransomware demands 12x more cash, targets English-speakers

FBI child-abuse warning shake-down gets more sophisticated

New hybrid storage solutions

Cybercrooks have further refined a strain of file-infecting ransomware that infects Android smartphones so that it targets English speakers and is more difficult to remove.

The newest variant of Android/Simplocker displays the ransom note in English and asks for a higher ransom of $300. The latest version also encrypts a wider range of file types and is more difficult to uninstall from devices than previous versions of Simplocker, which first surfaced in late May.

Previous versions contained a ransom message is written in Russian, with payment demanded in Ukrainian hryvnias. As before victims are falsely accused of "viewing and distributing child pornography, zoophilia and other perversions", and misleadingly informed that their device has been locked-down as a result of their perverse viewing habits.

The police ransomware poses as a Flash video player, a feature akin to that found in previous versions, which circumstantial evidence suggested offer a smut viewing-utility.

Previously, the malware extorted an "unlock fee" of 260 UAH ($21), so the crooks behind the latest incarnation of the scam are a lot greedier and perhaps more confident than before. The ransomware fee now demanded is on par with that extorted by the infamous Windows PC-infecting CryptoLocker ransomware. Pay-off are via a MoneyPak voucher as opposed to the hard-to-trace MoneXy eWallet service previously used.

The silver lining is that infections rates for the latest variant of the malware are low. "Our Android/Simplocker detection statistics don’t indicate the threat to be widespread in English-speaking countries," according to anti-malware firm ESET.

Security researchers at ESET described early versions as a proof-of-concept nasty. The latest version is still fairly basic from a cryptographic perspective but it's been modified to encrypt archive files, a tweak that makes life far harder for victims.

"From a technical perspective, the file-encrypting functionality remains virtually unchanged, apart from using a different encryption key, but this recent Simplocker variant does contain two additional tricks to make the victim’s life more miserable," Robert Lipovsky, a malware researcher at ESET, explains in a blog post.

"In addition to encrypting documents, images and videos on the device’s SD card, the trojan now also encrypts archive files: ZIP, 7z and RAR. This 'upgrade' can have very unpleasant consequences. Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files. In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well," Lipovsky warns.

In addition, the malware now asks to be installed as Device Administrator, making it a lot more difficult to remove.

Although still not especially advanced Simplocker is the next step from screen-locking ransomware called Android FakeDefender, which was discovered by Symantec a year ago;. Android Defender can be exorcised by booting a device into safe mode, whereas getting rid of Simplocker is more difficult but still possible.

ESET, for example, has released a Simplocker Decryptor utility. No such tool is possible for CryptoLocker victims, thanks to the use of stronger cryptography schemes. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Enigmail PGP plugin forgets to encrypt mail sent as blind copies
User now 'waiting for the bad guys come and get me with their water-boards'
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.