7 June 2014

CYBER SECURITY RESEARCHERS SPOT 1ST EVER ANDROID SMARTPHONE RANSOM ATTACK – ENCRYPTS DATA FILES


June 5, 2014 · by Fortuna's Corner

Researchers Spot First Ever Android Ransom Attack – ENCRYPTS Data Files


John Dunn writes in the June 4, 2014 online edition of Techworld.com, that “cyber security researchers working for the firm ESET have discovered the first ever malware capable of encrypting data files on an Android smartphone — as part of a ‘Cryptolocker-style’ ransom attack.”

“Called ‘Simplocker,’ the Russian-language Trojan — scan’s the device’s SD card, or internal storage, encrypting data files it finds there with a range of extensions, including obvious ones such as .jpg, .doc, .avi, and mp4. The encryption used is strong,” writes Mr. Dunn, — “256-bit AES. The splash screen then states [translated from Russian]: “WARNING: Your phone is locked! The device is locked for viewing and distribution [of] child pornography, zoophilia, and other perversions,” before demanding 260 Ukrainian Hryvnia (about $9) payable via MoneXy in return, — for the return of data.” “Probably the first such attack of this kind,” says Mr. Dunn, “was ‘Android Defender’ last June — which demanded payment for cleaning the device of non-existent malware.”

Mr. Dunn notes that “an unusual feature is that the malware’s command and control (C and C) operates using the ToR anonymity service. It also doesn’t appear to supply a conventional unlock key, working out which victims have paid through this encrypted channel — after relating money transfers to the smartphone’s IMEI number. “ESET suspects the malware’s prevalence is currently ‘very low,’ notes Mr. Dunn. “So far,” he adds, “the malware appears to be targeting Android users in Russian=speaking countries – who contract it after downloading an app called ‘Sex xionix’.’ from a third-party app store.”

“If the threat is low, the intent is not,” contends Mr. Dunn. “What starts on Russian malware sites has a habit of eventually spreading to more complex attacks — in other markers.” “There is no doubt,” cyber security researchers say, “that [this] encryption malware — in its most severe [form] — is coming to the wider population of Android devices at some point.” ESET added that their “analysis of the Android/Simplock.a revealed that we were most likely dealing with a proof-of-concept; or, a work in progress.” But, the company also acknowledged that “it is at pains to distinguish Simplocker from other types of mobile malware that use the ransom in annoying — but, less serious ways. A recent example, the company noted, was the Reveton-linked lockscreen attack, that demanded a ransom after pestering the user with pop ups that make the smartphone hard to operate.” Furthermore, ESET said that “the malware is fully capable of encrypting the users files, which may be lost if the encryption key is not retrieved.”

“While the malware does contain functionality to decrypt the files,” ESET researchers said, “we strongly recommend against paying up, not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.”

“The good news,” Mr. Dunn concludes, “is that Android smartphone and tablet users have more defense against such attacks — as long as they back up their files to Google’s iCloud. That would allow them simply to reset their phone; and, reinstate their files. It doesn’t appear that Simplocker goes after iCloud storage — although that backup could become a target in the future.” I would say that is highly likely. V/R, RCP.

No comments: