Just around this time last year, Symantec came across a fake security app called Android Defender (Android.Fakedefender) that held mobile devices hostage until a ransom was paid up. This particular malware locked up the device, making it useless, in order to coerce the user into paying for the app. Now, a year later, a batch of malicious apps that take files stored on mobile devices hostage by encrypting them have been discovered in the wild by security researchers. These variants, which Symantec detects as Android.Simplocker, pretend to be legitimate apps and appear to be hosted on fake Google Play sites aimed at Russian-speaking Android device owners. An example of one of these fake sites can be seen in Figure 1.
Figure 1. Fake Google Play site
Installing the malicious app
Once one of the malicious apps is manually downloaded and installed on a mobile device, the malware will quickly display a full screen message stating that the phone has been locked due to child pornography being viewed and distributed on the device. The message also states that in order to unlock the device a payment must be paid. The message can be closed, but will immediately reopen if the user attempts to launch any other app.
Figure 2. Message displayed by the malware
In the background, Android.Simplocker is working hard to encrypt the following types of document, picture, and video files stored on the device’s SD card:
Figure 3. Files stored on the SD card before and after encryption
Removing the malicious app
On certain Android devices, the malware may be removed by quickly performing an uninstall, especially after rebooting the device, however, in most cases the app will load quickly enough to prevent the removal. Most Android devices provide a hidden option to boot the operating system (OS) in safe mode. This allows only the basic functionalities of the OS to load and prohibits third-party apps from starting. Android.Simplocker can be removed by starting the device using this option. Please note that instructions on how to perform this task may vary depending on the device.
Figure 4. Rebooting to safe mode
If by chance you happen to install one of these malicious apps, we recommend turning off the device quickly to prevent the malware from encrypting as many files as possible. The device should be rebooted into safe mode to remove the threat. If a safe mode option is not available for the device, the only option may be a factory reset. In this case, the OS will be reset to the `same state as when the device was purchased; however, there should be an option to perform the reset without wiping any data stored on the SD card.
For any files that may have been encrypted, it may be possible to decrypt them since the key used to perform the encryption is stored locally in the malware. However, it is not an easy task for the average user unless they happen to be very familiar with encryption technology.
Android.Simplocker is the very first ransomware, that the security industry has confirmed, for Android that actually encrypts files. The malware is very basic this time; however there is plenty of room for improvement. We may, in time, see variants that are much more difficult to remove and with encryption that is impossible to crack.
Users should refrain from downloading apps from unfamiliar sites and only install apps from trusted sources. Backing up data is also important so that personal files can be retrieved in case they happen to be lost or become encrypted by malware. Symantec also recommends installing a security app, such as Norton Mobile Security or Symantec Mobile Security, in order to protect your device and data.
Symantec detects the threats discussed in this blog as Android.Simplocker and Android.Fakedefender.