IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ESET uncovers first Android file-encrypting piece of ransomware

Android/Simplocker malware allows hackers to hold users' devices to ransom

Malware researchers at security vendor ESET claim to have uncovered the first example of a malicious file-encrypting piece of ransomware aimed at Android users.

In a blog post, announcing the finding, the company said the Android/Simplocker malware works by scanning a user's smartphone or tablet for files to encrypt, before demanding a ransom to unlock them.

The file types targeted by the malware include jpegs, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp and MP4.

Affected users are usually notified about the fact their device has come under attack by a ransom message that's written in Russian and demands payment in Ukrainian hryvnias.

Robert Lipovsky, an ESET malware researcher, wrote in the blog: "It's fair to assume that the threat is targeted against this region.

"This is not surprising, the very first Android SMS Trojans back in 2010 also originated in Russia and Ukraine," he added.

The message accuses the device user of accessing and distributing child abuse images, as well as information about "other perversions", before issuing instructions about how to pay the ransom.

"After payment your device will be unlocked within 24 hours," the message states.

"In case of no payment, you will lose all data on your devices."

The researchers also discovered the malware keeps in contact with a Command & Control server, and sends identifiable information from the device back to it.

This server is also thought to notify the device once payment has been received, so that it can be unlocked.

"Our analysis of the Android/Simplock... revealed that we are most likely dealing with a proof-of-concept or a work in progress for example," Lipovsky continued.

"Nevertheless, the malware is fully capable of encrypting the user's files, which may be lost if the encryption key is not retrieved.

"While the malware does contain functionality to decrypt the files, we strongly recommend against paying up not only because that will only motivate other malware authors to continue these kind of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them," he added.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
What is a Trojan?
Security

What is a Trojan?

27 Aug 2021

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022