There is a file-encrypting strain of ransomware that infects Android smartphones, researchers said.
The malware, called Android/Simplocker, scans the SD card in a handset for certain types of files, encrypts them, and demands a ransom to decrypt the data, said researchers at ESET.
The ransom message is in Russian, with payment demanded in Ukrainian hryvnias. Victims end up falsely accused of “viewing and distributing child pornography, zoophilia and other perversions,” and the device ends up locked-down as a result.
An “unlock fee” of 260 UAH (U.S. $21) is the ransome, which is a lot less than the $410 wanted by the Windows PC-infecting CryptoLocker. The developers behind the Android/Simplocker earn their money via the hard-to-trace MoneXy eWallet service.
The Android malware is fairly basic, ESET researchers said in a blog post. It’s not immediately clear how the malware spreads. The sample ESET researchers looked at was in an application called “Sex xionix” – suggesting the malware is a Trojan that poses as a legit smut-viewing app.
In terms of sophistication, the software is ahead of the fake antivirus and screen-locking ransomware called Android Defender, discovered by Symantec a year ago. With mobile devices becoming more of a force, there is more smartphone-locking malware surfacing. Android Defender can end up disabled by booting a device into safe mode, removing Android/Simplocker, however, is a trickier process.
Files with a type extension of jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, or mp4 end up encrypted using AES. The malware ends up remotely controlled by a command server hosted within the TOR network.
Victims should, however, be able to recover encrypted files from a backup.