Types header

Simplocker Ransomware

Name

SIMPLOCKER

Type

Mobile Ransomware

Encryption Type

AES cipher

Short Description

First File encrypting ransomware for android it was detected in may 2014.

Symptoms

The device cannot be used

Distribution Method

Android/Simplocker usually tries to trick the user into installing it by camouflaging itself as a legitimate and popular application – a common technique for Android malware.

Image

SIMPLOCKER

More Details

Once this enters the victims device it scans the SD card2 for files with any of the following extensions – JPEG, JPG, PNG, BMP, GIF, PDF, DOC, DOCX, TXT, AVI, MKV, 3GP, MP4

Then it starts to encrypt them using the AES cipher. The encryption key uses hardcoded inside the binary as plain text, so it was trivial to decode them, unlike the more established Windows crypto-ransomware families. For this reason, we dubbed the malware Android/Simplocker and believed that these first variants were either just a proof-of-concept or an early development version of a more serious threat.

The reason why the trojan-downloader strategy had a greater chance of slipping under the radar of Android market application scanning) or even escaping the notice of a more careful Android user is that: All the application does is open a URL outside the app and this does not in itself qualify as malicious behavior The downloader has practically no harmful application permissions ,so even a user who doubts app permissions during installation may allow this one.

Another noteworthy change was that the malware started to use the XMPP (Extensible Messaging and Presence Protocol) protocol (Jabber) for communication with its C&C server. Using XMPP makes it more difficult to trace the C&C servers than if HTTP were used. Android/ Simplocker uses this instant messaging communication protocol to send information about the infected device to the server and to execute commands received. A third type of C&C server addressing used by some Android/Simplocker variants is the use of Tor .onion domains.

The most important step in Simplocker’s evolution was in the encryption keys used by the malware to encrypt the victim’s files. A few months after the initial versions, we spotted Simplocker variants that used unique cipher keys generated and sent from the C&C server. This marked the end of the trojan’s proof-of-concept stage and it was no longer possible to decrypt the hijacked files easily.