A new variant of the Simplocker ransomware for Android has been discovered that occurs as the Adobe Flash Player and which has already encrypted files on 5,000 smartphones. In contrary to an earlier version of the Simplocker ransomware there is no possibility for victims to get their files back.
The ransomware installs itself after a malicious advertisement has convinced the user to install Adobe Flash Player to view videos. The offered APK file obviously isn't the Flash Player but the Simplocker ransomware. Once the ransomware is installed and becomes active, it starts to encrypts files on the phone and displays a warning that appears to be coming from the FBI. The message states the users has visited forbidden porn sites and therefore the phone has been locked. To regain access a ransom of $200 has to be paid, according to the message.
In the source of the first variant of Simplocker, the encryption key was found. The key was a generic key used for all infections. This variant was able to infect more than 20,000 phones, but it's unclear how many victims paid as free decryption tools, based on the generic key, became available.
The now discovered variant uses an unique encryption key for each infection. Victims are therefore advised to backup the encrypted files and wait till someone develops a tool to decrypt them. Antivirus company Avast, which discovered the new Simplocker variant, advices to never pay a ransom because it encourages the malware authors to continue their bad practices.
