company Eset found malware extortion Simplocker for devices running Android, which encrypts user files, and then demands a ransom for their decryption. This type of application is widespread extortion on Windows, but for Android first detected, according to a company blog.
As explained “Lente.ru” in Eset, previously experts found several programs extortionists who simply blocked device without encrypting files on it. In one case, the attackers demanded to unlock the “buy and install antivirus application”, also met with modification of the requirement to make the penalty for viewing illegal content, visit banned sites, etc.
After infecting a user’s device malware checks memory card for the presence of images, documents, or video, then each of these encrypted files, and access to the device is blocked.
following message appears on the screen of your device is locked. The message is written in Russian, but it requires payment of a ransom in Ukrainian hryvnias, which, according to experts Eset, extortion involves focus on Ukraine.
Attackers offer the user, the device is locked, to pay the ransom, using the service MoneXy, as clients of this service is not so easy to track, as opposed to the usual customer payment systems that work with credit cards. The report states that after the receipt of funds on account of malicious device will be unlocked within 24 hours.
Simplocker In the case of a program already contains code decrypt files, for which the user is prompted to pay, which, however, does not mean that after paying “ransom” owner returns control device.
Malicious software (software) Simplocker distributed in the form of an application named Sex xionix. It was not found in the app store and Google Play, according to experts, has a slight prevalence to date, but the Android platform allows the installation of software from third-party resources, where users could accidentally stumble upon it.
Programm extortionist communicates with the remote server and sends him some identifiable information about the device, such as identifier IMEI. Experts note that the address of the server refers to the domain. Onion, which belongs to an anonymous network TOR, which allows attackers to ensure a proper level of secrecy.
«Our analysis of this threat has shown that in the case of Simplocker attackers managed to get closer to realization concept known extortionist Cryptolocker, which caused quite a stir in the world of Windows », ? specified in Eset.