Simplocker is ransomware that encrypts files on an infected Android device and then forces the user to pay a ransom fee to decrypt them. The app presents itself as a pornography player – in this case using the name “Sex xonix”. After launching the app a message appears on the screen accusing the user of watching and distributing child pornography amongst other things. The user is asked to pay 260 UAH (Ukraine Hryvnia), around $22, via MoneXy – which is a money transferring services used mostly in Russia and Ukraine. No credit card is used so tracing the transactions can be very hard.
The malware scans the SD card on the device and encrypts files with extensions like .jpg, .png, .doc amongst others. The device becomes unusable because if the user exits the application it auto-opens again in about 4 seconds. The malware collects the device IMEI and other details to identify the device and communicates with its command and control center using the TOR network to prevent tracing. Although the app has a decryption code – which in theory would enable it to decrypt all the files on the device – there is no way to guarantee that the attacker would provide the key.
The text from the application translated:
“Attention your phone has been blocked! Device is blocked for screening and distributing child pornography, and other perversions.
To unlock your device you must pay 260 UAH.
1. Find the nearest payment terminal.
2. Select MoneXy
3. Enter 380———
4. Make deposit of 260 Hryvnia
Don’t forget to take a receipt!
In case of no payment you will lose all the data on the device.”
Technical details
CYREN detects the malware as AndroidOS/Simplocker.A.gen!Eldorado. The app needs to be manually installed by the user. After the application is launched for the first time it connects to a command and control server through the TOR network. The device ID (IMEI), device model, and the build version is sent to the server. Currently there are two domains to this server, in this sample the domain is: http://———hxs.onion/
Part of the source code where the malware connects to the server that is hosted on the TOR network.
After this is done the malware scans the sd card for files with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, .3gp, .mp4.
The malware then encrypts all the files it finds with these extensions using the AES encryption algorithm and adds the .enc extension to all the files it has encrypted.
Part of the encryption code.
Before and after encryption.
In the source code there is a decryption class and a method that stops the malware from displaying the picture that demands the ransom fee. So this theoretically could allow decryption if the attacker decided to provide the key.
The source code for the decryption part.
The malware was not found on the Google play store and the best way to avoid malware getting to your Android device is to never install applications from unknown sources. Make sure your Android device does not have the “Unknown Sources” option checked. Settings → Security → Unknown Sources.
