CryptoLocker copycat holds Android data for ransom

American authorities may have taken down the CryptoLocker malware operation, but security software vendor Sophos Ltd. warns of a mobile malware threat following the footsteps of the Windows ransomware.

Previously, Sophos reported on an Android malware threat called Koler that claims to have encrypted a user’s mobile data and could potentially land the user in trouble with the police. Taking a page from the CryptoLocker playbook, Koler demands a payment to decrypt the data.

Koler, in fact, is just bluffing as it has not encrypted your data. It has just taken over you’re the screen of your device. Sophos said it can be uninstalled of by simply rebooting your Android device. Here’s how to unlock a ransomed phone.

However Paul Ducklin, chief technology officer of Sophos, said there is another malware known as SimpleLocker (also called Andr/Slocker-A) that really encrypts users’ data and holds it for ransom just like CryptoLocker does for Windows machine.

In a recent post on the Sophos blog site Naked Security, Ducklin said that SophosLad has seen a number of variants of SimpleLocker that target devices in Russia and Ukrain. Much like Koler, the malware fills a user’s screen with a warning message that will not go away.

A sample of the SimpleLocker message:

Sophos mobile malware

Users might not encounter SimpleLocker if their Android device is configured to download only software from Google Play.

 Here are four simple steps to take in order to avoid being hit by mobile malware or ransomware:

  • Install a reputable anti-virus program to scan all new apps automatically before they run for the first time
  • Practice caution in opening apps offered in ads and pop-ups
  • Keep off-device backups of your important data
  • Stick to Android’s default setting of allowing installs from the Google Play store only. If you want to use other app stores, turn the “unknown sources” option of your device on and turn it off after your purchase

Ducklin also said SimpleLocker is not cloud-controlled like CryptoLocker. The malware uses an encryption key that is embedded in the SimpleLocker code itself rather than from command centre.

“That means unlike CryptoLocker, it will detonate even if it can’t call home to the crook’s own servers,” wrote Ducklin. “But it also means that it is possible, albeit with some effort, to recover your files if you get hit, since you can tell how the files were encrypted and what key they used.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor Arellano
Nestor Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.