⚠️ Overview

Slocker is an Android ransomware family first documented in May 2016 by ESET researchers, classified as a locker-type ransomware that prevents victims from accessing their device by locking the screen with a police-themed ransom note. The malware is believed to be operated by Russian-speaking cybercriminals, as early variants demanded payment in Russian rubles and displayed text in Russian; it belongs to the ransomware category specifically targeting mobile devices running Android.

🔧 Technical Capabilities

Slocker propagates primarily through malicious websites and third-party app stores, using social engineering to impersonate popular apps like Adobe Flash Player or system updates. Once installed, it requests device administrator privileges, then immediately locks the screen using a full-screen overlay that cannot be dismissed. The malware uses no encryption—it relies solely on screen-locking tactics, disabling the Back and Home buttons via the FLAG_SECURE and FLAG_NOT_TOUCHABLE window flags. For persistence, it registers as a device administrator and prevents removal by intercepting the deactivation intent. Evasion techniques include checking for emulator environments and avoiding execution if debugging is active. C2 communication is minimal, with the ransom note directing victims to a payment URL; early variants used static Bitcoin addresses hardcoded into the APK.

📜 History & Notable Incidents

Slocker first appeared in May 2016, with a notable campaign in June 2016 where ESET reported over 100,000 infections globally, primarily in the US, Germany, and Russia. No CVEs are associated with this malware; it exploits Android’s accessibility services and device admin APIs, which were inherent platform features at the time. No law enforcement actions specifically targeting Slocker operators have been publicly documented.

🔍 Detection Indicators

Known SHA256 hashes for Slocker variants include 2a3f7e8c9b0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6 (ESET sample, June 2016). Behavioral indicators include the device being locked by a full-screen overlay with a counterfeit law enforcement logo, and the inability to unlock via the Power or Volume buttons. Network indicators include outbound connections to hardcoded Bitcoin addresses (e.g., 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa) observed in the ransom note.

☠️ Risk & Impact

Slocker causes denial of service by locking the device, demanding a ransom of typically 100–500 rubles (around $2–$15 at the time), paid via Bitcoin or mobile payment services like MTS Money. The primary impact is temporary loss of device usability, with no data exfiltration or encryption; however, victims who paid were often not given unlock codes, leading to complete device reset and data loss. The malware predominantly affected consumers using Android devices in Russia and Eastern Europe, with limited spread to other regions through third-party app stores.

🛡️ Mitigation

Defensive measures include disabling installation from unknown sources in Android settings, using official app stores exclusively, and maintaining up-to-date security patches. ESET and other vendors provide detection signatures under the Android/Slocker.A and Android/Slocker.B families; endpoint protection apps with real-time scanning can block installation. For infected devices, a factory reset via recovery mode (Power + Volume Down) removes the malware but wipes all user data, emphasizing the importance of regular backups.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.