No matter the product, developers continue to work to make them better and the same is true for malware developers as there is now a stronger strain of file-infecting ransomware that infects Android smartphones.
The newest variant of Android/Simplocker displays the ransom note in English and asks for a ransom of $300. The latest version also encrypts a wider range of file types and is more difficult to uninstall from devices than previous versions of Simplocker, which first surfaced in late May.
Previous versions contained a ransom message written in Russian, with payment demanded in Ukrainian hryvnias. As before, victims end up falsely accused of “viewing and distributing child pornography, zoophilia and other perversions,” and misleadingly informed their device ended up locked-down as a result of their viewing habits.
The police ransomware poses as a Flash video player, a feature found in previous versions.
Previously, the malware extorted an “unlock fee” of 260 UAH ($21), so the crooks behind the latest incarnation of the scam are stepping up the playing rules a bit more. The ransomware fee now demanded is on par with that extorted by the Windows PC-infecting CryptoLocker ransomware. Pay-off is via a MoneyPak voucher as opposed to the hard-to-trace MoneXy eWallet service previously used.
The silver lining is infection rates for the latest variant of the malware are low. “Our Android/Simplocker detection statistics don’t indicate the threat to be widespread in English-speaking countries,” according to anti-malware firm ESET.
Security researchers at ESET described early versions as a proof-of-concept. The latest version is still fairly basic from a cryptographic perspective but one modification allows it to encrypt archive files, a tweak that makes life far harder for victims.
“From a technical perspective, the file-encrypting functionality remains virtually unchanged, apart from using a different encryption key, but this recent Simplocker variant does contain two additional tricks to make the victim’s life more miserable,” said Robert Lipovsky, a malware researcher at ESET, in a blog post.
“In addition to encrypting documents, images and videos on the device’s SD card, the Trojan now also encrypts archive files: ZIP, 7z and RAR. This ‘upgrade’ can have very unpleasant consequences. Many Android file backup tools store the backups as archive files. In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well,” Lipovsky said.
In addition, the malware now asks to install as a device administrator, making it a lot more difficult to remove.