If you’re an Android user, you may need to be a little extra cautious. A new malware is on the loose, capable of taking the photos, videos and documents on your phone hostage and demanding a ransom for their restoration. Dubbed as SimpleShocker, the trojan is currently targeting the Android users in Eastern Europe, though you shouldn’t let your guard down even if you’re sitting in a different geographical location.
The threat
Discovered by Robert Lipovsky, security researcher for antivirus provider ESET, the latest malware to hit Android works in a fashion quite similar to that of CryptoLocker, the trojan that wreaked havoc on computer systems across the globe. Upon landing on an Android device, the malware quickly scans the phone’s SD card for all files ending with media and document extensions, including jpeg, jpg, png, bmp, gif, avi, mkv, 3gp, mp4, pdf, doc, docx, txt. It then quickly encrypts these files using advanced encryption standards, thus effectively making them inaccessible to the users. Next, a message in Russian flashes on the screen, warning the victim that their handset is locked as it has been discovered to be involved in a criminal activity such as downloading and distribution of illegal software or perverted content such as child pornography. The victim is informed that in order to unlock their device, they must pay 260 UAH (Ukrainian Hryvnias), which roughly equals to $21, within 24 hours, or else lose their locked data forever. So far, there is no report that confirms that paying the ransom eventually gets the files decrypted.
The solution
Users of compromised Android device may not want to risk losing their data and therefore rush to the nearest bank to transfer the ransom money, but ESET has advised victims against this response. Not only is it still uncertain if making the payment would result in the restoration of data, but it will also encourage attackers to raise their efforts to trap more Android users in their net. All may not be lost for the victims who refuse to bow to the demands of the attacker. According to a post published last week by Sophos, there is a fairly simple way of removing the malware from the device. All that the user needs to do is to reboot the phone in safe mode and manually remove the malware. Of course, the encrypted files will also be lost. There is, however, a way to recover those files, though it involves a certain level of risk as the technique requires a bit of effort. The locked files may be recovered by unlocking the AES key that is stored inside the malware.
Harbinger of worse news?
Lipovsky believes that the crudeness of SimpleShocker proves that it’s still in a proof-of-concept phase. What this basically means is that an even bigger threat may be heading towards Android, something that may be capable of dealing as much damage as the likes of CryptoLocker. The malware analyzed by ESET was found in an app that isn’t available on Google Play, which suggests that users who had their devices comprised may have downloaded it from elsewhere. This is yet another reminder of the security implications of tinkering with the operating systems to accept third-party downloads.
Android is to phones what Windows is to computers when it comes to malware. Due to their huge install-base, they have been a popular target of hackers, thus bringing them in the spotlight for all the wrong reasons. It would be unfair to say that Google, or even Microsoft for that matter, hasn’t done a good job with the security of their operating software, especially with so many brains focused on detecting even the smallest crack in their security protocols.
Thanks to StealthMate for the well-thought-out article.
