ESET researchers discover new Android ransomware that tries to spread all around

DUBAI INTERNET CITY, UAE - July 30, 2019 - PRLog -- Android ransomware may be on the decline since 2017 – but recently, ESET researchers discovered a new ransomware family, Android/Filecoder.C. Using victims' contact lists, it attempts to spread further via SMSes with malicious links.

The new ransomware was seen distributed via porn-related topics on Reddit. The malicious profile used in the ransomware-distributing campaign was reported by ESET but is still active. For a short period of time, the campaign had also run on the "XDA developers" forum, a forum for Android developers; based on ESET's report, the operators removed the malicious posts.


The new ransomware is notable for its spreading mechanism. Before it starts encrypting files, it sends a batch of text messages to every address in the victim's contact list, luring the recipients to click on a malicious link leading to the ransomware installation file. "In theory, this can lead to a flood of infections – more so that the malware has 42 language versions of the malicious message. Fortunately, even non-suspecting users must notice that the messages are poorly translated, and some versions do not seem to make any sense," comments Lukáš Štefanko.

Besides its non-traditional spreading mechanism, Android/Filecoder.C has a few  anomalies in its encryption. It excludes large archives (over 50 MB) and small images (under 150 kB), and its list of "filetypes to encrypt" contains many entries unrelated to Android while also lacking some of the extensions typical for Android. "Apparently, the list has been copied from the notorious WannaCry ransomware," observes Štefanko.

There are also other intriguing elements to the unorthodox approach which the developers of this malware have used. Unlike typical Android ransomware, Android/Filecoder.C doesn't prevent the user from accessing the device by locking the screen.

"The trick with a unique ransom is novel: we haven't seen it before in any ransomware from the Android ecosystem," says Štefanko. "It is probably meant to assign payments to victims. This task is typically solved by creating a unique Bitcoin wallet for every encrypted device. In this campaign, we've only seen one Bitcoin wallet being used."

According to Lukáš Štefanko, users with devices protected by ESET Mobile Security are safe from this threat. "They receive a warning about the malicious link; should they ignore the warning and download the app, the security solution will block it."


https://www.eset.com/me/