Android ransomware may have been on the decline since 2017 \u2013 but recently,\nESET researchers discovered a new ransomware family, Android\/Filecoder.C. Using\nvictims\u2019 contact lists, it attempts to spread further via SMSes with malicious\nlinks. <\/p>\n\n\n\n
The new ransomware was seen\ndistributed via porn-related topics on Reddit. The malicious profile used in\nthe ransomware-distributing campaign was reported by ESET, but is still active.\nFor a short period of time, the campaign had also run on the \u201cXDA developers\u201d\nforum, a forum for Android developers; based on ESET\u2019s report, the operators\nremoved the malicious posts. <\/p>\n\n\n\n
\u201cThe\ncampaign we discovered is small and rather amateurish. However, if the\ndistribution becomes more advanced, this new ransomware could become a serious\nthreat,\u201d<\/em>\ncomments Luk\u00e1\u0161 \u0160tefanko, the ESET researcher who led the investigation. <\/p>\n\n\n\n The new ransomware is\nnotable for its spreading mechanism. Before it starts encrypting files, it sends\na batch of text messages to every address in the victim\u2019s contact list, luring\nthe recipients to click on a malicious link leading to the ransomware\ninstallation file. \u201cIn theory, this can\nlead to a flood of infections \u2013 more so that the malware has 42 language\nversions of the malicious message. Fortunately, even non-suspecting users must notice\nthat the messages are poorly translated, and some versions do not seem to make\nany sense,\u201d<\/em> comments Luk\u00e1\u0161 \u0160tefanko. <\/p>\n\n\n\n Besides its non-traditional\nspreading mechanism, Android\/Filecoder.C has a few anomalies in its encryption.\nIt excludes large archives (over 50 MB) and small images (under 150 kB), and\nits list of \u201cfiletypes to encrypt\u201d contains many entries unrelated to Android, while\nalso lacking some of the extensions typical for Android. \u201cApparently, the list has been copied from the notorious WannaCry\nransomware,\u201d<\/em> observes \u0160tefanko.<\/p>\n\n\n\n There are also other intriguing\nelements to the unorthodox approach that the developers of this malware have\nused. Unlike typical Android ransomware, Android\/Filecoder.C doesn\u2019t prevent\nthe user from accessing the device by locking the screen. Furthermore, the\nransom is not set as a hardcoded value; instead, the amount that the attackers request\nin exchange for the promise of decrypting the files is created dynamically using\nthe UserID assigned by the ransomware to the particular victim. This process\nresults in a unique ransom amount, falling in the range of 0.01-0.02 BTC. <\/p>\n\n\n\n \u201cThe trick with a unique ransom is novel: we\nhaven\u2019t seen it before in any ransomware from the Android ecosystem,\u201d <\/em>says \u0160tefanko. \u201cIt is probably meant to assign payments\nto victims. This task is typically solved by creating a unique Bitcoin wallet\nfor every encrypted device. In this campaign, we\u2019ve only seen one Bitcoin wallet\nbeing used.\u201d<\/em> <\/p>\n\n\n\n According to Luk\u00e1\u0161 \u0160tefanko,\nusers with devices protected by ESET Mobile Security are safe from this threat.\n\u201cThey receive a warning about the\nmalicious link; should they ignore the warning and download the app, the\nsecurity solution will block it<\/em>.\u201d<\/p>\n\n\n\n This discovery shows that\nransomware still poses a threat to Android mobile devices. To stay safe, users\nshould stick to basic security principles:<\/p>\n\n\n\n