Android/Simplocker using FBI child-abuse warnings to scare victims into paying $300

Last time we wrote about Android/Simplocker – the first ransomware for Android that actually encrypts user files – we discussed different variants of the malware and various distribution vectors that we’ve observed. What initially appeared as just a proof-of-concept  – mainly because of Simplocker’s “not-exactly-NSA-grade” crypto implementation – has proven to be an actual threat in-the-wild in spite of its weaknesses. Also, the malware has been available for sale on underground forums.

Last week we spotted a variant of the ransomware that featured a few significant improvements.

1. Simplocker–FBI-warning12. Simplocker-FBI-warning23. Simplocker-moneypak14. Simplocker-moneypak2

The first change that meets the eye in Android/Simplocker.I is that the ransom message is now in English rather than Russian. The victim is led to believe that the device was blocked by the FBI after detecting illegal activity – child pornography and so on – typical behavior of police ransomware that we’ve seen many times before. The demanded ransom is now 300 USD (as opposed to 260 UAH / 16 EUR / 21 USD) and the victim is instructed to pay it by a MoneyPak voucher. Like other previous Android/Simplocker variants, this one also uses the scareware tactic of displaying the camera feed from the device.

From a technical perspective, the file-encrypting functionality remains virtually unchanged, apart from using a different encryption key, but this recent Simplocker variant does contain two additional tricks to make the victim’s life more miserable.
5. simplocker-code
In addition to encrypting documents, images and videos on the device’s SD card, the trojan now also encrypts archive files: ZIP, 7z and RAR. This ‘upgrade’ can have very unpleasant consequences. Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files. In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well.

Secondly, the malware now asks to be installed as Device Administrator, which makes it a lot more difficult to remove. Legitimate Device Administrator applications use these extended permissions for various, mostly security-related reasons. For example, corporate Exchange administrators can enforce password policies, remotely wipe lost or stolen devices, and so on.

Android/Simplocker.I (and other Android ransomware in the past) only uses the functionality for its own protection, since the user must first revoke the application’s Device Administrator rights before uninstalling it. And that’s rather difficult to do when the ransomware is locking your screen.


As usual, the trojan will use social engineering to trick the user into installing it – in the screenshot to the left it’s masquerading as a Flash video player.

Our Android/Simplocker detection statistics until today don’t indicate the threat to be widespread in English-speaking countries.

In case your files have been encrypted as a result of an Android/Simplocker infection, you can use the updated ESET Simplocker Decryptor to restore them. But as always, we recommend focusing on prevention ;) Also, while you should be careful when installing any application on your device, be extra careful when the installed application asks for Device Administrator rights.

SHA1 Hash: 72ec80b52ad38417240801dba1a730ab9804a2f9

Author Robert Lipovsky, ESET

  • scott flynn

    So, exactly how is one’s device infected with this stupid ransomware? Would one not have to have admin rights in the first place? I didn’t unlock my devices…app’s are not allowed to have admin rights (unless coming from Google or Samsung through a firmware update in the first place)? How would you do this? I don’t understand.

    • Konstantin Paramonov

      The news is that it exists. Windows won’t allow using admin-rights by default either, but there are tons of viruses that everyone should be aware of.

    • lipovsky

      Hi Scott. Anyone can install an application as Device Administrator – Android will display a message as shown in the last screenshot in the post.

      This is different from root.

      • scott flynn


  • Malik

    Hi I just got it today…Help…Can I get rid of it without paying the 300?

  • Unknown

    that happened to me and luckily i was fast enough to factory reset my phone before it showed that screen

    • Isaac Villagrana

      Soo are those screenshots fake

  • Damien

    The scan didnt dl anything on any other options? If someone got the answer how i get my dcpt files back to normal it would help me.a lot.

Follow us

Copyright © 2017 ESET, All Rights Reserved.