First Android File-Encrypting, TOR-enabled Ransomware Discovered

Dubai, United Arab Emirates - 5 June, 2014 - Global IT security leader, ESET today announced that its engineers have spotted the first instance of a file-encrypting ransomware for Android. Once it has successfully infected a devices, this Android trojan scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files.

After launch, the trojan displays a ransom message and encrypt files in a separate thread in the background. The ransom message is written in Russian and the payment is demanded in Ukrainian hryvnias. The message roughly translates to:

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography, zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter {REDACTED}.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!"

The malware directs the victim to pay using the MoneXy service as it is not as easily traceable as using a regular credit card.

Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them using AES. It will also contact its Command & Control server and send identifiable information from the device like its IMEI.

The sample analyzed by ESET is in the form of an application called ‘Sex xionix’. It was not found on the official Google Play store and the company estimates that its prevalence is low at this time but believes that this is most likely a proof-of-concept or a work in progress.

In light of such advanced malware, Pradeesh VS, General Manager at ESET Midlde East provided the following advice to Android Users, “We encourage users to protect themselves against these threats by prevention- by using mobile security solutions such as ESET Mobile Security for Android- and adhering to best security practices, such as keeping away from untrustworthy apps and app sources. If they are unfortunate to already be infected, they should recover the files from a backup. Because when you have a backup, then any Filecoder trojan- be it on Android, Windows, or any operating system- is nothing more than just a nuisance.”