ESET discovers decryptor tool for Simplocker Malware

ESET-LOGOESET, a global pioneer in proactive protection for 25-years, discovers Decryptor tool ESET Simplocker Decryptor, an easy-to-use tool to decrypt files that have been encrypted by Simplocker malware.  The research and development team of ESET was successful to notice and to be the first Anti-Virus brand to discover the decryptor tool.

Simplocker Encryptor malware is mostly concentrated in Ukraine and Russia, while the malware may display traits of a proof-of-concept; it is indeed spreading like a wildfire to all countries which can cause major trauma for the users infected with this malware.

Since, ESET’s discovery of Android/Simplocker observed several different variants. The differences between them are mostly in:

  • Tor usage – some use a Tor .onion domain, whereas others use a more conventional C&C domain.
  • Different ways of receiving the “decrypt” command, indicating that the ransom has been paid.
  • Different nag screens, different ransoms (and different currencies as well – we’ve seen Ukrainian hryvnias as well as Russian rubles).
  • Use of imagery – some display a photo of the victim taken with the phone’s camera to increase the scareware factor.

   Figure 1 – Android/Simplocker.B nag screen with victim’s photo and Russian rubles instead of Ukrainian hryvnias

The simplistic encryption approach using AES with a hard-coded password is still present in most samples seen in the wild and some variants don’t contain the file coder functionality, and act as ransom ware of the lock screen type.

One of the most important questions when a piece of malware is discovered concerns the infection vector is, in what ways it can get into a victim’s device. ESET LiveGrid telemetry has indicated several infection vectors used by Android/Simplocker. The “typical” ones revolve around internet porn – some malicious apps pretended to be an adult video, an app for viewing adult videos, etc. – or popular games like Grand Theft Auto: San Andreas, and so on.

ESET team also noticed a different dissemination trick that’s worth mentioning – the use of a trojan-downloader component. Using trojan-downloaders to “dynamically” download additional malware into an infected system is common practice in the Windows malware world and it is still noteworthy on Android.

One trojan-downloader (detected by ESET as Android/TrojanDownloader.FakeApp) we’ve analyzed was attempting to trick the user into downloading a fake video player – which, as you might have guessed, was the Android/Simplocker trojan. The reason why the trojan-downloader strategy has a greater chance of slipping under the radar of Android market application scanning (such as Bouncer on the official Google Play, for example) or even escaping the notice of a more careful Android user is because:

  •  All the application does is open a URL outside the app – this does not, in itself, qualify as  malicious behavior and
  •  The downloader has practically no “potentially harmful” application permissions – so even a user who scrutinizes app permissions at installation may allow this one.

Leave a Reply

Your email address will not be published. Required fields are marked *