Simplocker¶
The first Android malware to encrypt files on the device. Discovered by ESET in June 2014, Simplocker scanned the SD card for media and document files, encrypted them with AES, and demanded ransom. It communicated with C2 over Tor, another first for Android malware. ESET released a free decryptor due to the weak hardcoded encryption key.
Overview¶
| Property | Value |
|---|---|
| First Seen | June 2014 |
| Type | File-encrypting ransomware |
| Attribution | Unknown (initial Russian-language targeting) |
| Aliases | Android/Simplocker (ESET), Trojan-Ransom.AndroidOS.Simplocker (Kaspersky) |
Distribution¶
Distributed as a fake Flash Player. Required manual download and installation. Later variants used fake FBI warnings for English-speaking targets.
Capabilities¶
| Capability | Implementation |
|---|---|
| File encryption | AES-256 with hardcoded key jndlasf074hr, appended .enc extension |
| Target files | jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 |
| Tor C2 | C2 hosted on .onion domain (xeyocsu7fu2vjhxs.onion) |
| Data exfiltration | IMEI, OS version, phone model, manufacturer sent to C2 |
| Ransom demand | Initially Russian rubles, later $300 USD in FBI-themed variants |
Significance¶
Simplocker proved file-encrypting ransomware was viable on Android. Its weak implementation (hardcoded key enabling free decryption) was improved by successors. The SLocker family continued evolving the Android ransomware category through 2017, including variants mimicking WannaCry's UI.
Related Families¶
| Family | Relationship |
|---|---|
| SLocker | Evolved the ransomware concept with 600+ variants |
| DoubleLocker | First to combine file encryption with PIN change (2017) |