Malware Family

Ransom, data encryption and phone locking

Sample description:

The application uses TOR to send personal information. The tor process starts and some TOR relay sockets like (128.31.0.39) are opened in order to send and route information anonymoulsly. Socket addresses were checked on https://torstatus.blutmagie.de/. We can see on graph that all personal documents are encrypted, for example for /mnt/sdcard/Android/data/com.google.android.apps.books/files/accounts/gstef2000@gmail.com/volumes/1NMOAAAAIAAJ/cover_thumbnail.png.enc. Some abnormal accessed files: /data/data/org.simplelocker/app_data/control_auth_cookie, gstef2000@gmail.com/volumes/*.enc, /data/data/org.simplelocker/app_bin/torrc, /data/data/org.simplelocker/app_bin/torrctether, /data/data/org.simplelocker/app_bin/privoxy.config


The Information Flow graph shows four processes. The main process named rg.simplelocker writes in several files of .enc extension. These files are the encrypted version of the multimedia files taken in hostage. The process named tor is the process that communicates through the Tor network, using five sockets. Four of them are nodes of the Tor circuit used to reach the server and the fifth is the interface used to send and receive messages. The libprivoxy.so process is the HTTP proxy used in combination with Tor.


The Control Flow and ByteCode View show two entry points and 9 suspicious methods. Indeed, there is two way of launching the malware: from the service (onStartCommand) or using the main activity (onCreate). The onCreate method calls the run() method that starts the encryption calling the encrypt() method. doShellCommand is a toolbox methods used by other methods like runTorShellCmd to control the tor process.

File details:

• MD5 : fd694cf5ca1dd4967ad6e8c67241114c
• SHA256 : 8a918c3aa53ccd89aaa102a235def5dcffa047e75097c1ded2dd2363bae7cf97
• Size : 4.7 MB