CryptoLocker wannabe “Simplelocker” scrambles your files, holds your Android to ransom

Only this week, we published an article about 10 Years of Mobile Malware.

That’s because Cabir, a Bluetooth virus for Symbian devices, was the first reported “phone malware,” ten years ago in June 2004.

And we discussed the evolving problem of mobile malware in this week’s Chet Chat, where we offered the opinion that:

For the first few years, it didn't look as though the crooks were that interested, because I guess they hadn't really figured out a way to make money... It was several years before things unfortunately came to the point that ... the crooks realised there really is money to be made out of [mobile malware]... [T]hey can just copy what's worked on Windows computers.

At least, that’s how Android threats have played out so far.

Where Windows has gone, Android has followed

We’ve seen fake anti-virus for Android following in the footsteps of Windows scareware, even in Google’s own Play Store.

And we’ve recently seen Android ransomware called Koler that tries to take over your device under threat of police prosecution, unless you pay up.

The Koler malware didn’t merely borrow its modus operandi from the infamous Reveton ransomware on Windows – it looks as though the same cybercrooks are behind both scams.

Next step, Cryptoransomware!

Well, with the big security news lately being the US-led takedown of the Gameover and CryptoLocker malware operations, we know what’s on your mind.

“If the crooks keep copying Windows threats that were financially lucrative,” you’re thinking, “we’ll soon see Android ransomware that doesn’t just lock your device, but locks up your data instead, or as well.”

Just like CryptoLocker.

Koler said that’s what it had done, but it wasn’t telling the truth. (Dishonest malware! Who’d have thought?)

The problem with ransomware that relies entirely on popping up a “take-over-the-whole-screen” app (at least, the problem if you are a cybercrook) is that victims can usually get around it without paying.

In fact, for Koler, we showed you how to do just that, using Android’s Safe Mode: you reboot so you have control, leaving you free to uninstall the app while it isn’t in the way.

Introducing “Simplelocker”

Sadly, mobile malware that really does encrypt your data, in the style of CryptoLocker, is no longer just a thought experiment.

Simplelocker, also known as Andr/Slocker-A, does just that.

Once you’re infected, you’ll see a pop-over window that accuses you of a crime, and offers you a way to pay a fee, get your data back and – presumably – avoid being reported to the authorities.

→ We’ve not heard of any country with an official court system that accepts QIWI VISA WALLET payments or MoneyPak, so we’re assuming victims will realise that this is outright blackmail: “Pay us or we’ll tell the cops, and all the data will still be there for them to see.”

Pay up or else

As with the Koler malware, the Simplelocker blackmail window fills the screen and won’t go away.

If you try to switch to another application (such as Settings so you can turn on debugging access or uninstall the app), it quickly comes back.

A plain reboot might help, but you have to be quick: the malware reappears automatically, leaving you only a short time to jump into Settings | Apps | Downloaded to uninstall it.

The good news is that you’re not terribly likely to come across the Simplelocker malware, especially if you keep your Android device configured to accept software only from Google Play.

The other good news is that, although it does scramble a range of different image, document and movie files, the encryption isn’t cloud-controlled like CryptoLocker.

By that, we mean that the malware doesn’t go online to fetch an encryption key from the crooks, but instead uses a key that’s stored inside the malware code.

That means, unlike CryptoLocker, it will detonate even if it can’t call home to the crooks’ own servers.

But it also means that it is possible, albeit with some effort, to recover your files if you get hit, since you can tell how the files were encrypted, and what key was used.

If you don’t care about your scrambled files, you can remove the malware using the Safe Mode technique mentioned above and simply delete any data files that will no longer open.

The Simplelocker family

SophosLabs has seen a number of different variants of Simplelocker: some target Russians, while others target Ukrainians.

Also, some variants include an Android version of Tor (The Onion Router), an anonymising service that is used to contact the crooks instead of using regular web connections that are easier to trace.

Sophos products detect all variants, with and without Tor, as Andr/Slocker-A.

The variants we have looked at all appear in the list of downloaded apps under the name Shadow Fight 2, but show up when you uninstall them with a range of names: Shadow Fight 2, Sex xonix, VX Player and Video Player.

Five easy tips

Once again, here are our five easy tips to help you deal with Android malware of all sorts, including ransomware:

• Install a reputable anti-virus program to scan all new apps automatically before they run for the first time.
• Be cautious of apps you are offered in ads and pop-ups.
• Keep off-device backups of your important data.
• Read our article about using “Safe Mode“, just in case you ever need it in a hurry.
• Stick to Android’s default setting of allowing installs from the Google Play store only.

We know that the last point above is contentious to some readers, who prefer to shop outside Google’s “company store,” e.g. at Amazon or in other markets.

In that case, why not simply turn the “Unknown sources” option on only while you really need it, and turn it off again afterwards?

(Sophos Anti-Virus and Security for Android has a handy Security Advisor screen that will remind you of risky options you have chosen, and take you with a single tap straight to the right place in Settings to change them.)

What happens next?

Simplelocker isn’t very sophisticated: you can easily avoid it, and even if it all goes horribly wrong, you can (at least in theory) recover without dealing with the crooks at all.

But, then again, it calls itself Simplelocker, as though it’s just testing the waters.

So if Android malware really does follow where Windows has gone before…

…consider yourself warned!