Android Malware

James Lyne, global head of Security at Sophos, says:

Ten years ago, in June 2004, the first “phone malware” was reported—Cabir, a Bluetooth virus for Symbian devices. Since then, crooks have learned that “they can just copy what’s worked on Windows computers.” That’s how Android threats have played out, at least.

First, we saw fake anti-virus for Android that followed the path of Windows scareware. More recently, we’ve seen Android ransomware that manipulates the device, acting under threat of police prosecution. This ransomware—called Koler—attempts to take over your device, unless you pay. Sound familiar? Recall the infamous case of Reveton ransomware on Windows. It looks as though the same cybercrooks are behind both scams.

Now What?

The US-led takedown of the Gameover and CryptoLocker malware operations has been the big security news lately. So, we know what has been on your mind. You’re probably thinking, “Since the crooks keep copying Windows threats that were financially lucrative, in the future we’ll see Android ransomware that doesn’t just lock your device, but locks your data, too.”

Koler falsely claimed to have encrypted files, when really it didn’t. (Dishonest malware? Who would have guessed!)

Victims can usually get around ransomware without paying when the ransomware relies solely on pop-up scare tactics. Here’s a tip: For Koler, use Android’s Safe Mode. You reboot so you have control, allowing you to uninstall the app.


Unfortunately, the thought of mobile malware that actually does encrypt your data has become a reality. That’s where Simplelocker (also known as Andr/Slocker-A) comes in—it does just that. Once infected, a pop-up window appears that accuses the user of a crime and requests a fee to recover data and keep the user from being reported to authorities.

What to Do

Like Koler, the Simplelocker window fills the screen and won’t go away. When trying to switch to another application, the screen quickly comes back. Rebooting can help, but users have to act quickly; otherwise the malware automatically reappears. This leaves the user a short time to access “Settings>Apps>Download” to uninstall the app.

So, what’s the good news? If you keep your Android device configured to only accept software from the Google Play Store or the Amazon Appstore, you’re not likely to run into the Simplelocker malware.  Luckily, unlike CryptoLocker, Simplelocker encryption isn’t cloud-controlled. However, it does scramble a range of different image, document, and movie files.

Since Simplelocker encryption isn’t cloud-controlled, the malware doesn’t go online to retrieve an encryption key from crooks. Instead, it uses a key that’s stored inside the malware code. So, what does that mean? Unlike Cryptolocker, it’s Windows-based predecessor, it will discharge even if it can’t connect to the crooks’ servers.

Because you can tell how files were encrypted and what keys were used, you’re able to recover your files with some effort (in the case that you get hit). If you’re not too worried about your scrambled files, you can delete the malware using the Safe Mode technique mentioned above and remove any data files that will no longer open.

The Simplelocker Family

SophosLabs has seen a number of different variants of Simplelocker—some target Russians, and others target Ukrainians. Some variants include an Android version of Tor, which is an anonymous service that is used to contact the crooks, rather than regular web connections that are easier to track.

Five Tips

Here are five easy tips to help you combat Android malware, including ransomware:

1)      Install a reputable anti-virus program to automatically scan all new apps before they run for the first time.

2)      Be cautious of apps that are offered in ads or pop-ups.

3)      Keep off-device backups of your important data.

4)      Learn more about “Safe Mode,” in case you ever need to quickly use it.

5)      Only allow installs from the Google Play Store or the Amazon Appstore. (This is a default setting on Android phones.)

Simplelocker can be avoided because it isn’t very sophisticated. If you do happen to be hit by it, you can recover your data.

But consider yourself warned: Android malware will likely continue to follow where Windows malware has gone before!