File-encrypting Android ransomware ‘Simplocker’ targets English-speaking users

A ransomware threat that encrypts files stored on the SD memory cards of Android devices has been updated to target English-speaking users with FBI-themed alerts.

The malware app is called Simplocker and was first identified by security researchers from antivirus vendor ESET in early June. At the time it was the first malicious program for Android devices that used file encryption to extort money from victims.

[Android ransomware marks profitable new era for cybercriminals]

The original variant was indicative of a work in progress and displayed ransom notes exclusively in Russian, but that has changed recently. Simplocker is now being sold on underground forums and actively distributed to users, so it’s no longer just a proof of concept, the ESET security researchers said Tuesday in a blog post.

A new variant found recently displays a message to victims in English that masquerades as an alert from the U.S. Federal Bureau of Investigation about illegal pornographic content being found on the device. The victims are instructed to pay a so-called fine of US$300 through a payment service called MoneyPak.

In addition to expanding the pool of potential victims by adding English language support, the new Simplocker version also has some other improvements, the ESET researchers said.

The previous list of file types encrypted by the malware included mostly images and documents. The new version also encrypts archive files with the .zip, .7z and .rar extensions.

“Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files,” the ESET researchers said. “In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well.”

So not only will users lose access to their documents and pictures, but they will be unable to restore them from backups stored on the same SD card.

The malware installer masquerades as a Flash video player application and requests to be granted device administrator permissions. This makes the new Simplocker much harder to remove once installed.

[Stealthy ransomware ‘Critroni’ uses Tor, could replace Cryptolocker]

The good news is that Simplocker’s authors haven’t improved their encryption implementation, which relies on a hardcoded key and can therefore be undone. The new variant uses a different key than the original versions, but users are still able to recover their files without paying.

ESET has updated their free Simplocker Decryptor tool to add support for files encrypted by the new malware variant.