ESET researchers have recently discovered a new ransomware family, Android/Filecoder.C.
According to ESET, using victims’ contact lists, it attempts to spread further via SMSes with malicious links.
The new ransomware was seen distributed via porn-related topics on Reddit. The malicious profile used in the ransomware-distributing campaign was reported by ESET but is still active. For a short period of time, the campaign had also run on the “XDA developers” forum, a forum for Android developers; based on ESET’s report, the operators removed the malicious posts.
“The campaign we discovered is small and rather amateurish. Also, the ransomware itself is flawed – especially in terms of the encryption which is poorly implemented. Any encrypted files can be recovered without help from the attackers,” said Lukáš Štefanko, ESET researcher who led the investigation. “However, if the developers fix the flaws and the distribution becomes more advanced, this new ransomware could become a serious threat.”
The new ransomware is notable for its spreading mechanism. Before it starts encrypting files, it sends a batch of text messages to every address in the victim’s contact list, luring the recipients to click on a malicious link leading to the ransomware installation file. “In theory, this can lead to a flood of infections – more so that the malware has 42 language versions of the malicious message. Fortunately, even non-suspecting users must notice that the messages are poorly translated, and some versions do not seem to make any sense,” said Štefanko.
Besides its non-traditional spreading mechanism, Android/Filecoder.C has a few anomalies in its encryption. It excludes large archives (over 50 MB) and small images (under 150 kB), and its list of “filetypes to encrypt” contains many entries unrelated to Android while also lacking some of the extensions typical for Android. “Apparently, the list has been copied from the notorious WannaCry ransomware,” observes Štefanko.
There are also other intriguing elements to the unorthodox approach which the developers of this malware have used. Unlike typical Android ransomware, Android/Filecoder.C doesn’t prevent the user from accessing the device by locking the screen. Furthermore, the ransom is not set as a hardcoded value; instead, the amount that the attackers request in exchange for the promise of decrypting the files is created dynamically using the UserID assigned by the ransomware to the particular victim. This process results in a unique ransom amount, falling in the range of 0.01-0.02 BTC.
“The trick with a unique ransom is novel: we haven’t seen it before in any ransomware from the Android ecosystem,” explained Štefanko. “It is probably meant to assign payments to victims. This task is typically solved by creating a unique Bitcoin wallet for every encrypted device. In this campaign, we’ve only seen one Bitcoin wallet being used.”
Štefanko highlighted that users with devices protected by ESET Mobile Security are safe from this threat. “They receive a warning about the malicious link; should they ignore the warning and download the app, the security solution will block it.”
