Blue Coat Labs

Labs Blog

"Simplelocker" Android Ransomware Encrypts Files

"Simplelocker" Android Ransomware Encrypts Files

Andrew Brandt

A worrying update to the problem of ransomware on mobile phones appears to be proliferating in Ukraine and Russia, where Android users are being tricked into installing malware that encrypts photos and other information on their mobile phones.

The malware, which calls itself Simplelocker, presents itself to users as one of a variety of apps used to browse and view pornographic videos. We looked at 22 separate samples ranging in size from 30kb to 4.8MB. The app employs a range of different names on its installation screen, including DayWeekBar, VideoPlayer, VPlayer, or Sex xonix.

The malware had very low or nonexistent detections in antivirus at the time we retrieved it.

When installed, the app can launch itself and prevents other apps from launching. If you hit the Home button on the Android device, the phone desktop appears for a few moments, but the ransomware app rapidly relaunches---a behavior observed as recently as last month, when we began to see the less-destructive but equally annoying Reveton ransomware adopted into the world of Android malware.

Its appearance on the phone is fairly monolithic: a white screen with text in the Cyrillic alphabet threatens the user that they've been caught surfing child porn or some other salacious activity.

The screen also instructs victims to visit a type of payment kiosk commonly used in Russia or Ukraine, and pay from 180 to 260 Hyvrnia (the currency used in Ukraine) or 1000 to 1200 Russian Rubles to one of a small number of accounts. At least victims can be grateful for the low, low price: 260 Hryvnia translates to around $20 in the US; 1000 to 1200 Rubles converts to around $30. That's significantly cheaper than then hundreds of dollars being charged by the operators of the Cryptolocker ransomware scam.

But the damage the malware can do is no less worrisome. The malware targets a limited number of file types (apparently only JPEG and PNG images, and plain text files, identified solely by their file suffix) only when they are stored on the device's memory card, and encrypts those files using the AES encryption algorithm; The encrypted files carry a new extension of .enc when the malware has done its work. Other types of files, including MP3 music and office documents, as well as operating system files, were left untouched.

The malware's threat claims that if payment is not made within 24 hours, then the method to decrypt the files will be destroyed. We don't see evidence that there's a way to carry out this part of the threat in the versions of this malware we've been scrutinizing, but that doesn't mean it can't happen in a future release.

It also contains some code that attempts to make it more difficult to log the offending behavior in the Android Debug Monitor, a part of the Android software development kit used by programmers who write apps for Android. But we were able to see the malware's entire set of function calls in the debug monitor, whether we ran the malware in a real phone hooked to the monitor, or in an Android Virtual Device.

We've also determined that the software seems to require mobile devices with an ARM processor, common but not ubiquitous, in order to perform the CPU-intensive cryptographic functions. Android devices running other types of less common processors may be immune to the encryption portion, but the annoyance of a program that constantly starts itself up and blocks you from using your phone does not go away.

The malware communicates with its command-and-control servers using the Tor network over whichever network connection is available; On our test systems, we limited the network activity to the WiFi adapter so we could observe it and run it through the SSL Visibility Appliance, which had no trouble re-signing the SSL certificates used by the traffic.

Not only are there references to .onion sites in the code, but we saw Tor-like algorithmically generated domain names in use in the Security Analytics metadata of the traffic.

Clearly, the simplest way to prevent this kind of app from causing damage to your phone is to avoid downloading apps from anywhere other than legitimate app markets or stores. We've also, in the past, seen mobile advertising networks link directly to Android applications in unscrupulous ad calls when mobile device browsers visit "red light district" Web sites.

When in doubt, if presented with an installation dialog for an app you did not intentionally download, hit the Cancel button instead of Install; and if you do install something you didn't intend to, by all means, uninstall it before you run the program.

The existence of destructive ransomware also, once again, calls attention to the necessity of performing backups of important information, even from your mobile phone.

Special thanks to Felix Leder in our malware reverse engineering team, who brought this to our attention and did a lot of the initial analysis of the malware.