Android malware encrypts files on SD card, demands ransom payment

Android malware encrypts files on SD card, demands ransom payment
ESET has identified the first form of ransonware for Android that actually encrypts personal files on the device's memory card and won't decrypt them unless a ransom is paid.

Previous forms of ransomware found to affect Android devices typically used lockscreens or other methods (such as making it impossible to launch apps) to force a user into a payment. This one is more insidious because it actually encrypts files on the devices, specifically files with the extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4. The image with this article shows files in Total Commander that have been encrypted by the malware.



The app is in Russian and is likely only affecting a very small number of devices in that region. It demands payment in Ukrainian hryvnias (260 UAH, roughly $21, €16) using Ukraine's MoneXy payment service. When it finds its way to an Android device, it prompts the following message in Russian:

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography , zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter {REDACTED}.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!"

The malware communicates with a command & control server, which is actually a Hidden Service on the TOR network, making it difficult for authorities to unmask its location on the Internet. It does provide means for a user to enter a payment code or anything like that which has been previously seen, instead it appears to wait for remote instruction to decrypt files.

ESET identifies the malicious software as Android/Simplock.A. It strongly advises users affected by this, and similar malicious apps, NOT to pay the ransom fee. By paying the fee, you encourage more malware of this kind and there is no guarantee the criminals will keep up their end of the scam.

To avoid Android malware like this, always make sure to get your apps from authorized sources like Google Play or the Amazon Store. Make sure to keep apps and Android as up to date as possible.

Ransomware has been in the headlines this week after a US-led effort targeted the Gameover ZeuS trojan/botnet and the Cryptolocker ransonware, which encrypts victim's files on their PCs and demands a random of 1 Bitcoin, which currently could cost around $600 to acquire.




Sources and Recommended Reading:
ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware: www.welivesecurity.com (by Robert Lipovsky)



Written by: James Delahunty @ 4 Jun 2014 15:04
Tags
malware Android Cryptolocker
Advertisement - News comments available below the ad
  • 7 comments
  • bankai987

    For some reason I think these antivirus companies are creating these viruses because the sophistication of these programs are incredible. Then putting them out in the wild so criminals can run with it. Which makes sense the criminals and "good guys" make more money.

    4.6.2014 21:57 #1

  • Ryberg360

    Originally posted by bankai987: For some reason I think these antivirus companies are creating these viruses because the sophistication of these programs are incredible. Then putting them out in the wild so criminals can run with it. Which makes sense the criminals and "good guys" make more money. AKA The Government

    5.6.2014 08:55 #2

  • dEwMe

    Get out your tinfoil hats eh?

    Just my $0.02,

    dEwMe

    5.6.2014 09:47 #3

  • ddp

    i don't have to worry about that as i don't have a cell phone nor do i want 1.

    5.6.2014 14:51 #4

  • Mrguss

    @ bankai987
    @ Ryberg360

    Crimeware toolkits:
    http://www.youtube.com/watch?v=CzdBCDPETxk

    Live Free or Die.
    The rule above all the rules is: Survive !
    Capitalism: Funnel most of the $$$ to the already rich.

    5.6.2014 21:59 #5

  • ChappyTTV

    Originally posted by bankai987: For some reason I think these antivirus companies are creating these viruses because the sophistication of these programs are incredible. Then putting them out in the wild so criminals can run with it. Which makes sense the criminals and "good guys" make more money. Malware is a multi Billion dollar business, these are not the skriptkiddies of the late 90's, early 00's. These are professional coders, some of the most talented around, lured of course by the huge amount of money involved.

    AV companies DO NOT write and distribute malware, that is a myth created & perpetuated by the conspiracy minded fools.

    8.6.2014 01:06 #6

  • ddp

    or is that "tools"?

    8.6.2014 15:12 #7

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud