Android cipher / Simplocker aims for English-speaking users
Last month, we wrote about the appearance of new modifications of the Simplocker cipher for Android. The attackers have changed some of the behavior of the malware, as well as the vectors of its distribution. Last week we discovered new modifications of this malware (it shows up as Android / Simplocker.I ), in which several significant improvements were added.
The first change that catches your eye is the extortioner's text message. It is now displayed in English. Through this message, the victim is intimidated and extorted money, arguing that the device was blocked by law enforcement agencies, or rather the FBI, after it detected illegal content in the form of child pornography. Such ransomware covers are not uncommon in the Windows world. The amount of the repurchase is now $ 300 (in contrast to the previous 260 hryvnia, which corresponds to 16 euros or $ 21). The payment method has also changed, it should now be carried out using the MoneyPak service. As in previous versions of Simplocker, in this version, the attackers continued to use the camera shots of the smartphone when displaying a buyback message.
')
From a technical point of view, the file encryption mechanism has remained almost the same, except for the use of a new encryption key. In addition, the updated version of the Trojan can encrypt ZIP, 7z and RAR files. These file formats have been added to those already used since the last modification of a malicious program that specialized in image files, documents and videos.
The encryption mechanism of archives can have unpleasant consequences for the user. Backup tools for Android (which we strongly recommend using) store backup files in the archives. In case the user gets infected with Android / Simplocker.I, these backups will be encrypted.
The malware also asks for permission to be installed as a Device Administrator, i.e., it asks for high rights in the system. Common applications such as the Device Administrator use these extended rights for various operations, for example, related to security. An example of such an application is corporate administration tools that can use a special password policy, and also remotely erase data on a stolen device.
Android / Simplocker.I uses the installation option as a Device Administrator to ensure its self-defense in the system, in this case, before removing the program from the device, the user must first withdraw the application from the device administrators list (Settings -> Security -> Device Administrators).
As in many other cases of malware distribution, attackers use social engineering techniques to lure the user to install this malware. To do this, he masks as a video player, as shown in the screenshot below.
Our detection statistics to date have not recorded the prevalence of this threat in English-speaking countries.
If your device is a victim of Android / Simplocker, you can use the updated ESET Simplocker Decryptor tool to recover your data. But as usual in such cases, we recommend focusing on preventing infection. Be careful when installing applications on your device and, especially, with those applications that request device administrator privileges.
The first change that catches your eye is the extortioner's text message. It is now displayed in English. Through this message, the victim is intimidated and extorted money, arguing that the device was blocked by law enforcement agencies, or rather the FBI, after it detected illegal content in the form of child pornography. Such ransomware covers are not uncommon in the Windows world. The amount of the repurchase is now $ 300 (in contrast to the previous 260 hryvnia, which corresponds to 16 euros or $ 21). The payment method has also changed, it should now be carried out using the MoneyPak service. As in previous versions of Simplocker, in this version, the attackers continued to use the camera shots of the smartphone when displaying a buyback message.
')
From a technical point of view, the file encryption mechanism has remained almost the same, except for the use of a new encryption key. In addition, the updated version of the Trojan can encrypt ZIP, 7z and RAR files. These file formats have been added to those already used since the last modification of a malicious program that specialized in image files, documents and videos.
The encryption mechanism of archives can have unpleasant consequences for the user. Backup tools for Android (which we strongly recommend using) store backup files in the archives. In case the user gets infected with Android / Simplocker.I, these backups will be encrypted.
The malware also asks for permission to be installed as a Device Administrator, i.e., it asks for high rights in the system. Common applications such as the Device Administrator use these extended rights for various operations, for example, related to security. An example of such an application is corporate administration tools that can use a special password policy, and also remotely erase data on a stolen device.
Android / Simplocker.I uses the installation option as a Device Administrator to ensure its self-defense in the system, in this case, before removing the program from the device, the user must first withdraw the application from the device administrators list (Settings -> Security -> Device Administrators).
As in many other cases of malware distribution, attackers use social engineering techniques to lure the user to install this malware. To do this, he masks as a video player, as shown in the screenshot below.
Our detection statistics to date have not recorded the prevalence of this threat in English-speaking countries.
If your device is a victim of Android / Simplocker, you can use the updated ESET Simplocker Decryptor tool to recover your data. But as usual in such cases, we recommend focusing on preventing infection. Be careful when installing applications on your device and, especially, with those applications that request device administrator privileges.
Source: https://habr.com/ru/post/230995/
All Articles