New singular Android Ransomware disguised as a video player app uses a means of communication unseen in other similar malware. A new, improved variant of the Android Simplocker ransomware is lurking on third-party app stores and infects tens of thousands of devices.
“We estimate that tens of thousands of devices have been infected. We have evidence that users have already paid hundreds of thousands of dollars to get their files unencrypted, and the actual infection rate may be much higher,” Ofer Caspi from CheckPoint’s malware research team warns.
The majority of victims are located in the US, and a smaller number in Asia and Europe, and the mobile crypto-ransomware scam seems to be profitable according to researchers at Check Point Software Technologies, who said that tens of thousands of devices could be infected and to date about 10 percent of the victims have paid up ransoms between $200 and $500. Check Point concedes its dataset is incomplete and it’s likely that more devices are infected and the hackers have pocketed more than the $200,000 to $500,000 estimates.
Most ransomware uses the HTTP/S protocol to communicate with their C&C servers, and that type of traffic can be obstructed by blocking access to the URL address or static IP of the server. But this ransomware uses the XMPP protocol to contact the control server, and this type of traffic is not that easily blocked, nor it the malicious part of it easily spotted.
According to security researchers at Check Point Software Technologies a new Android ransomware disguised as a video player app implements a method of communication different from any other similar threat.
The infection starts when victims download a supposed Flash Player app, then when they approve the installation and agree the requested permissions, the ransomware encrypts all the data on the mobile device.
Victims, with this strain, see a message purporting to be from the National Security Agency with threatening language about copyright violations and threats of fines being tripled if not paid within 48 hours of notification. The NSA message has been used with other mobile ransomware such as Koler and Simplocker.
What sets this strain apart from others, Check Point said, is that the ransomware uses an instant messaging protocol called XMPP, or Extensible Messaging and Presence Protocol, to receive commands and communicate with the command and control server.
Unlike most ransomware that communicates over HTTP, using XMPP has been effective in helping the malware evade detection. With HTTP communication, traffic using the URL address or static IP address of the C&C server can be blocked, denying the attackers the ability to send encryption commands and process files, Check Point said.
In its report, Check Point has published indicators of compromise, command descriptions and details on the encryption used.
Unfortunately, new samples of the malware are popping up and other accounts are being set up daily.
Users who fall victim to this scheme are advised not to pay the ransom and to seek help from experts because the malware can’t be easily uninstalled by tech-unsavvy users. Of course, the encrypted files will be lost, but hopefully this will spur them to perform device backup more often.