A form of ransomware that ran riot across Android apps in 2016 has returned, with more than 400 new versions found in the wild.

SLocker is a form of ransomware that targets employee and corporate data. It was notable when it was discovered not only because it infected thousands of Android devices but also because it was the first Android ransomware to use encryption when hijacking files.

The new versions of SLocker were discovered by mobile security firm Wandera Inc. which found that they’re targeting corporate mobile device fleets through app stores. Described by the company as being “polymorphic,” the new strains are said to have been redesigned to avoid all known detection techniques by using a wide variety of disguises, including altered icons, variations in package names, unique resources and executable files.

Like the old version, the new variants also encrypt files on an Android device, then later demand a ransom in return for a decryption key. However, some variants have expanded further and now can take over administrative rights, giving hackers access to a victim’s microphone, speakers and camera.

“Attacks against the mobile enterprise are becoming increasingly more sophisticated. In an effort to evade detection, attackers have created variations and permutations of their exploits, knowing that security tools struggle to identify each new version,” Wandera Vice President of Product Strategy Michael Covington said in a statement sent to SiliconANGLE. “As a result, defensive solutions must embrace data science and machine learning technologies in order to surface new insights and stay one step ahead of the attackers and zero-day threats.”

Wandera estimates that in 2016, SLocker managed to obtain ransoms from affected companies and users in excess of $10 million. The security firm did not put a figure how much had been paid out as a result of the new versions.

Photo: Christiaan Colen/Flickr