SLocker¶

One of the oldest and most prolific Android ransomware families. Active since 2014 with 600+ variants, SLocker combined screen-locking with file encryption and was among the first Android malware to use Tor for C2 communication. Its source code was decompiled and published in July 2017, causing a surge in variants including one that mimicked WannaCry's UI. Closely related to Simplocker.

Overview¶

Property	Value
First Seen	2014
Type	Ransomware (screen locker + file encryptor)
Attribution	Multiple independent operators (source code public)
Aliases	SimpleLocker, SMSLocker, Trojan-Ransom.AndroidOS.Small (Kaspersky), Android/Ransom.SLocker (Malwarebytes)

Distribution¶

Counterfeit apps on Google Play and third-party stores. Posed as multimedia players, game guides, and popular software. Also spread through fake update prompts and social engineering.

Capabilities¶

Capability	Implementation
File encryption	AES encryption of images, documents, videos
Screen lock	Full-screen ransom overlay, some variants changed device PIN
Tor C2	Among the first Android malware to use Tor for C2
Scareware	Early variants impersonated FBI/police using law enforcement branding
Camera access	Later variants could access camera
Device admin	Hijacked Device Administrator for persistence

Scale¶

400+ variants by 2016, surging to 600+ over six months
Estimated $10 million in ransom payments
NHS England issued a cyber alert about SLocker
WannaCry-mimicking variant appeared July 2017

Source Code Leak¶

The source code was decompiled and published online in July 2017, leading to a variant explosion. This mirrors the pattern seen with BankBot, GM Bot, and Cerberus where source availability dramatically lowers the entry barrier.

Family	Relationship
Simplocker	Closely related, sometimes used interchangeably by vendors
DoubleLocker	Advanced successor combining encryption + PIN change
Koler	Contemporary police-themed ransomware (screen lock only)