September 24, 2014
Discovered in May, the extortionist Android.Locker.2.origin poses extreme danger to user data. On an infected mobile device, the extortionist searches the available memory cards for files with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, and .3gp. It encrypts the files and adds the extension .enc to the filenames. Then the mobile device's screen is locked, and a message is displayed that accuses the user of distributing adult content and demands a ransom to unlock the device. To enhance the effect, the extortionist can also add a photo of the user, made with the handheld's front camera, to the ransom demand message.
After thoroughly examining the ransomware, Doctor Web designed a special utility that will most likely decrypt files corrupted by the malicious application, making it unnecessary for users to pay a ransom.
The utility scans the available SD card for encrypted files and attempts to restore one of them as a test. If successful, the program starts restoring all the corrupted files it has found. Backups of all the corrupted files are placed in the directory DrWebTemp before the utility attempts to decrypt them. All the recovered files are restored to their original location and the extension .enc is removed from their filenames. To avoid permanent data loss after the utility finishes its work, the directory DrWebTemp, which contains copies of the encrypted files, is not removed.
If your handheld has been compromised by Android.Locker.2.origin, follow these steps:
- Do not try to restore the encrypted data on your own;
- Contact Doctor Web's technical support. When filing a request, select ‘Cure request’ (this service is available free of charge);
- Attach a file encrypted by the ransomware to your request;
- Wait for a response from a virus analyst.
Please note that the decryption service is only available to users who have purchased commercial licenses for Doctor Web anti-viruses. To get the utility, you have to be an owner of a commercial Dr.Web for Android, Dr.Web Security Space or Dr.Web Anti-virus license which includes technical support.
To ensure that your mobile device is continually protected from Android.Locker.2.origin and other Android threats, purchase Dr.Web for Android with advanced security features.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.