New ransomware appearing on Android smartphones now also makes pictures of its victims. The malware is called Simplocker ransomware and was recently discovered by anti-virus company ESET. At the moment more than 30 varieties of the malware have been discovered 'in the wild', according to Russian anti-virus vendor Kaspersky Labs.
There are two groups behind the different versions, one group uses the anonymous network Tor to communicate with the command and control server. The other group uses HTTP and SMS for contact with the malware. Once the malware is installed on an Android phone it starts searching for pictures, videos and documents on the SD card of phone and files are locked using strong AES encryption. The application can also be identified in the application list by an icon of the Google Android mascot with the text "Sex xonix"
Ransomware in the second group also makes a picture of its victim using the front camera of the phone. The photo is used in the shown warning which states the user is guilty of watching childporn and therefore the phone is locked by a government agency.
The ransomware encrypts the data on the phone and asks for an amount of 16 to 26 EURO to be paid in uder to unlock the files again. Kaspersky reports that it received reports on more than 2,000 infected phones in 13 countries. Most of the victims are located in Russia, but the company also received reports from Germany, Greece and Canada. According to Symantec the malware also appears on fake Google Play sites where it appears to be a legitimate application.
