Android users are at a risk of turning into victims of ransomware dubbed Simplocker as file-encrypting malware makes the jump to mobile platforms for the first time.
First detected by the security firm Eset, Simplocker is a cryptolocker style Android virus, which has an associated C&C server hosted on a TOR domain, scrambles files on the SD cards of infected devices before demanding payment to decrypt the files.
According to the blogpost from the security company, victims are asked for a payment of 260 Ukrainian hryvnias (£13) to decrypt files and are directed to MoneXy transfer service.
Eset believes Simplocker to be far less dangerous than Cryptolocker, and is more like “a proof-of-concept or a work in progress” rather than an all-out attack. The source of the malware is said to be an application “Sex xionix,” which is not officially found on Google PlayStore.
Robert Lipovsky, ESET’s security intelligence team lead said that Simplocker is capable of encrypting user’s files and without the decryption keys, the data will most certainly be irretrievable.
“While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them”, notes Lipovsky.
This is the first reported instance of malware encrypting data on Android phones for ransom, although there had been similar cases before. Earlier last month, security researcher Kafeine reported about a variant which prevented apps from launching unless a $300 payment was made.