Thursday, March 17, 2016

File-encrypting Android ransomware strikes as adult applications

The ransomware can encrypt the user data and lock the device after receiving a command from C&C server, then requesting ransom as an exchange for decrypting and releasing the locked device.

File encoding ransomware is a very popular type of infiltration for malware creators. They can easily gain a large amount of money. Mainly for infamous TeslaCrypt, Locky or Cryptolocker from the Windows platform. These threats can make a lot of damage by encrypting all the data on a user’s computer. Android is not an exception. The first Android file encrypting ransomware was discovered in 2014 known as Simplocker.
This ransomware is selecting its victims by the country they live in. If the device language code for the device locale is approved by backend then the device data will be encrypted. Also it can be an interesting anti-sandbox technique.


This file encrypting ransomware hides itself as adult applications downloaded from untrusted web sites.  

Ransomware spreads as porn apps
Figure 1 Ransomware spreads as porn apps

After start, it will send the device information as a key factor in further steps. Except for some configuration data, it will send IMEI number and language code for the device locale. If the language code is accepted by the remote server, then it will send an encryption key to the infected device and file encryption starts. Otherwise, when the device country is not accepted then ransomware requests the user to uninstall it manually without encrypting files or locking the device. How nice of them J. This interesting method can bypass automated sandboxes and will not trigger the “red” light, because true locking and file encrypting functionality will not be executed. 

Server sending encryption key
Figure 2 Server sending encryption key

When ransomware gets this data from the remote server, file encryption can begin. Encryption starts from the root of the device external storage directory, encrypts all files using AES with length smaller then 8.388.608 bytes, and skips all the APK’s and files inside the Android directory.

File encryption
Figure 3 File encryption

To all encoded files is appended the extension “.enc”.

Encrypted files

Figure 4 Encrypted files

Trojan has also implemented an decryption method. File decryption can be invoked by a command received from the C&C server as well.
After encryption, it will create “ENCODEC.TXT” file in the root of external storage directory. If the user already has removed infiltration, but still wants to decrypt files, text file contains a ransom message with payment instructions.

Content of ENCODED.TXT file

Figure 5 Content of ENCODED.TXT file

Original text: “Если Вы удалили приложение, а файлы остались закодированными, то Вам необходимо перевести 1000 рублей на выделенный для Вас номер +79688303841
В поле ,комментарий,укажите уникальный kод - 123753
В течении 5 часов файлы будут успешно восстановлены.

Translated by Google: “If you delete an application, and the files were encoded, you need to transfer 1,000 rubles for a dedicated room for you +79688303841
In the comment, enter a unique code - 123,753
In 5 hours, the files will be recovered successfully.

The ransom message is also delivered to the user in a lock screen. Lock screen can have different style and ransom text. Ransom message also includes the front camera preview, displayed to make it more trustworthy.

Lock screen examples

Figure 6 Lock screen examples

The ransom requested by malware is approximately 11 EUR. It is not very much when we compare it to other Android ransomware requesting 500 USD.

But the price can be changed as it was in Simplocker. At first, the Simplocker requested ~15 USD and targeted Russia and Ukraine. New variants then started to request up to 500 USD and targeted English speaking regions. Hopefully, the same scenario as in the Simplocker case won’t follow.


C&C server: hxxp://


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by a blog administrator.

  3. This comment has been removed by a blog administrator.

  4. This comment has been removed by a blog administrator.