New variant of Android Ransomware 'SimpLocker' spotted


A New variant of the Android Ransomware known as 'SimpLocker' has been spotted by Security researchers at ESET.

This new variant has a few significant improvements including the language in which the fake warning message is written, it is now in English rather than Russian.

The malware is masquerading as a flash player for the Android and tricks users into installing it with administrator privileges .

Once the device is infected, it will show a ransom message saying that your device is locked because you were doing illegal things and demands you to pay around $300.

One of the variant attaches the photo of the victim taken by the front camera in the ransom message.  This trick will definitely scare victims into paying the ransom.

One of the worst features added to this variant is now it encrypts the compressed files such as ZIP, RAR and 7ZIP.  It means even your backup files are being encrypted by this trojan.

ESET has released a tool to decrypt the files that have been encrypted by Simplocker.  The say prevention is better than cure, so better focus on prevention - Be careful while installing apps from unknown sources.

Kronos: A new Banking Trojan for sale in Underground forums

Researchers from Trusteer have discovered a new Banking Trojan dubbed as "Kronos" which is being sold in the Underground forum.

The malware is being sold for $7,000 and the cyber criminals are offering one week test for the price of $1,000 with full access to the command and control server without any limitation.

Similar to other banking Trojans, this new malware also capable of doing form grabbing and HTML Injection.

Kronos has user-mode rootkit(ring3) capabilities that will help this trojan to defend itself from other pieces of malware, will work in both 32bit and 64 bit Operating systems.

It is also designed to evade antivirus software and bypass Sandbox. The malware use encryption to communicate with the C&C server.

Trusteer said it has not yet analyzed the malware sample in order to validate the seller’s claims, all the information provided are based on the advertisement in the underground forum.

Researchers say GameOver malware is back

Last month, DOJ announced that International law enforcement agencies disrupted the Game Over Botnet.   However, Researchers at Sophos say the GameOver malware is back.

Researchers spotted several spam campaign and analyzed a few samples of the new version.

The new version has few modifications.  One of them is removing Necurs rootkit part from the malware.

The second modification is using Domain generation algorithm(DGA) as the primary command and control mechanism instead of Peer-to-Peer protocol.

"We do not know if it is being operated by the same people that were indicted last month, or a subset of them, or indeed a different group altogether that has obtained the Gameover source code." researcher said.

Dailymotion website visitors redirected to malicious web page


Attackers managed to compromise the popular video sharing website dailymotion and redirected visitors to malicious web page that installs malware in victim's machine.

On June 28, Symantec researchers identified an iframe in Dailymotion.com which sends users to different website hosting Sweet Orange Exploit kit.

Sweet Orange Exploit Kit is a malware toolkit used by attackers to infect victim's machine with malware by exploiting software vulnerabilities on their machine.

The vulnerabilities that Sweet Orange attempts to exploit are : Java Vulnerability(CVE-2013-2460), Adobe Flash Player vulnerability(CVE-2014-0515), Internet Explorer Vulnerability(CVE-2013-2551).

If the user's machine is vulnerable, then Trojan.Adclicker was downloaded onto the victim’s computer.

"This malware forces the compromised computer to artificially generate traffic to pay-per-click Web advertisements in order to generate revenue for the attackers" the symantec researchers said.

South Korean Bank Customers targeted by Android Malware


A Mobile software company Cheetah Mobile has identified a malicious piece of Android malware that replaces the legitimate banking apps with fake versions.

According to the Cheetah Mobile report, the Trojan disguises itself as popular game or application on third party android application markets in Korea and tricks users into installing the app.

Once it is installed, the Trojan searches for the official online banking applications of south Korean Banks including Nong Hyup Bank, Sinhan Bank, Woori, Kookmin, Hana N Bank, Busan Bank and Korean Federation of Community Credit Cooperatives.

If one of these banking apps is found to be installed on the victim's device, the malware displays an alert saying that the banking app needs to be updated.  Once the update is approved,  the legitimate banking app will be replaced with the fake one.

The fake version then asks victims to enter the password to their security certificate(which is required by the South Korean government in order to access many online services).

The app then asks victims to provide their bank account number, passwords and bank security number.

At the end, the malware simply displays a fake error message informing victims that there is no Internet connection.  The malware then deletes itself from the device.

"With the information that they stole, the hackers can apply for a new certificate, which they then use to freely access the victim's bank account."says Cheetah Mobile.

The company said more than 3,000 devices have been infected in the last week alone.

Simplocker : First Android Ransomware that Encrypts files in Your Device

Ransomware is a type of malware that locks you out of your computer until you pay a ransom.  In some cases, it can actually cause more serious problems by encrypting the files on your system's hard drive.

Last year, Symantec discovered an android malware with hybrid characteristics of Fake AV and Ransomware. Last month, Bitdefender identified an android version of Ransomware which was being sold in the underground market.  The malware bluffed victims into paying a ransom but didn't actually encrypt the files.

Until now, there have been no reports of android malware that encrypts the files.

Security researchers at ESET say they have spotted the first variant of Ransomware that encrypts files in your Android Device.

The malware, dubbed as Simplocker, shows a ransom message written in Russian which informs victims that their device is locked for  viewing and distribution child porn.

It scans the SD card for certain file types such as image, document or videos, encrypts them using Advanced Encryption Standard(AES), and demands money in order to decrypt them.


It also gathers information about the infected device and sends to a command and control server.  The server is located in Tor ".onion" domain for purposes of anonymity.

Don't Pay:
"We strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them" Researchers at ESET say.