New and nastier Android ransomware uses unique keys to lock data

The Simplocker ransomware targeting Android systems first appeared in mid 2014. Prior to Simplocker most ransomware only claimed to encrypt files but didn't actually do so.

Fortunately files locked by the malware were fairly easy to decrypt, but now researchers at antivirus company Avast have uncovered a new version of Simplocker with an even nastier trick.

The latest version uses unique keys for each device it infects making it much harder to decrypt and is already believed to have infected around 5,000 devices.

Avast mobile malware analyst, Nikolaos Chrysaidos writing on the company's blog says, "To use an analogy, the original variant of Simplocker used a 'master key' to lock devices, which made it possible for us to provide a 'copy of the master key' to unlock already infected devices. The new variant however, locks each device with a 'different key' which makes it impossible to provide a solution that can unlock each infected device, because that would require us to'‘make copies' of all the 'different keys'".

The new Simplocker masquerades as a Flash Player update to trick users into installing it. Android blocks installs from unofficial markets by default, so users should be safe unless they've changed their settings.

If it is installed the app is granted administrator rights and uses social engineering to deceive the user into paying a ransom to unlock the device and decrypt the files. The app claims to be the FBI, warning the user that they have found suspicious files, violating copyright laws and demanding the user pay a $200 fine to decrypt their files.

There's more information including a look at how the Simplocker malware operates on the Avast blog.

Image Credit: Carlos Amarillo / Shutterstock