Jump to content

ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware


SweX
 Share

Recommended Posts

ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware

 

 

Last weekend saw the (somewhat anticipated) discovery of an interesting mobile trojan – the first spotting of a file-encrypting ransomware for Android by our detection engineers.  

 

Let’s put this all into perspective, so we know what we’re dealing with here…

hxxp://www.welivesecurity.com/2014/06/04/simplocker/

 

Analysed Sample SHA1: 808df267f38e095492ebd8aeb4b56671061b2f72

 

https://www.virustotal.com/en/file/8a918c3aa53ccd89aaa102a235def5dcffa047e75097c1ded2dd2363bae7cf97/analysis/

Edited by SweX
Link to comment
Share on other sites

Android malware: how to keep your device safe from filecoders (and everything else)  

 

When ESET researchers analyzed the first file-encrypting Trojan to demand a ransom from Android users via a control centre hidden on the anonymized Tor Network, the malware was “somewhat anticipated”, ESET malware researcher Robert Lipovsky writes.  

 

The malware Android/Simplocker, available as a bogus app, seems at present to be a proof-of-concept rather than a fully-fledged attack ready for mass release.

hxxp://www.welivesecurity.com/2014/...ice-safe-from-filecoders-and-everything-else/

Link to comment
Share on other sites

  • 2 weeks later...

Simplocker ransomware: New variants spread by Android downloader apps

 

Since our initial discovery of Android/Simplocker we have observed several different variants. The differences between them are mostly in:

 

  • Tor usage – some use a Tor .onion domain, whereas others use a more conventional C&C domain.
  • Different ways of receiving the “decrypt” command, indicating that the ransom has been paid.
  • Different nag screens, different ransoms (and different currencies as well – we’ve seen Ukrainian hryvnias as well as Russian rubles).
  • Use of imagery –  some display a photo of the victim taken with the phone’s camera to increase the scareware factor.

hxxp://www.welivesecurity.com/2014/06/19/simplocker-new-variants/

 

Android/TrojanDownloader.FakeApp: 979020806f6fcb8a46a03bb4a4dcefcf26fa6e4c

https://www.virustotal.com/en/file/41b4dbc8cb144145c9eea8b0e4c9c9da3102ff42500923067ba32a5acfcaa858/analysis/

Edited by SweX
Link to comment
Share on other sites

  • 2 weeks later...

UPDATE: Our developers have created ESET Simplocker Decryptor, an easy-to-use tool to decrypt files that have been encrypted by Simplocker.  

 

To install the application, please download it from Virus Radar with your device or scan the QR code below. To install the app, you must allow installation from Unknown Sources (Settings -> Security -> Unknown Sources).

 

hxxp://www.welivesecurity.com/2014/06/25/simplocker-new-variants/

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...