Android ransomware Simplocker ripped apart by student; releases tool to decrypt encrypted files

By  | 

Simon Bell, a final year Computer Science (BSc) student at the University of Sussex, United Kingdom has managed to reverse engineer the recently discovered Simplocker Android malware that encrypts files present on an Android smartphone’s memory card and demands a ransom in lieu of the decryption key.

Bell has analysed Simplocker in detail through both static and dynamic analysis and concludes that the malware looks for images, videos and documents to encrypt. Once it finds and encrypts the files it changes their extension to .enc. The app also collects different information about the phone such as IMEI, OS, phone model, and manufacturer and sends them to C&C server.

During the dynamic analysis of Simplocker, Bell found that there is a method called decrypt() that is a lot similar to the encrypt() function.

“Obviously this method carries out the decryption on the input file and produces the decrypted output file. The same line numbers from the encrypt() method are highlighted to demonstrate how decryption occurs”, notes Bell.

Bell has also released an antidote of the malware in the form of a Java program.

The young researcher claims that Simplocker is a proof-of-concept ransomware and the antidote also is of the basic level that will only work in accordance with the proof-of-concept nature of the malware.

“Future versions of advanced smartphone ransomware will likely prove significantly harder to reverse engineer”, Bell concludes.