ESET researchers discover new Android ransomware that tries to spread all around

Android ransomware may have been on the decline since 2017 – but recently, ESET researchers discovered a new ransomware family, Android/Filecoder.C. Using victims’ contact lists, it attempts to spread further via SMSes with malicious links.

The new ransomware was seen distributed via porn-related topics on Reddit. The malicious profile used in the ransomware-distributing campaign was reported by ESET, but is still active. For a short period of time, the campaign had also run on the “XDA developers” forum, a forum for Android developers; based on ESET’s report, the operators removed the malicious posts.

The campaign we discovered is small and rather amateurish. However, if the distribution becomes more advanced, this new ransomware could become a serious threat,” comments Lukáš Štefanko, the ESET researcher who led the investigation.

The new ransomware is notable for its spreading mechanism. Before it starts encrypting files, it sends a batch of text messages to every address in the victim’s contact list, luring the recipients to click on a malicious link leading to the ransomware installation file. “In theory, this can lead to a flood of infections – more so that the malware has 42 language versions of the malicious message. Fortunately, even non-suspecting users must notice that the messages are poorly translated, and some versions do not seem to make any sense,” comments Lukáš Štefanko.

Besides its non-traditional spreading mechanism, Android/Filecoder.C has a few anomalies in its encryption. It excludes large archives (over 50 MB) and small images (under 150 kB), and its list of “filetypes to encrypt” contains many entries unrelated to Android, while also lacking some of the extensions typical for Android. “Apparently, the list has been copied from the notorious WannaCry ransomware,” observes Štefanko.

There are also other intriguing elements to the unorthodox approach that the developers of this malware have used. Unlike typical Android ransomware, Android/Filecoder.C doesn’t prevent the user from accessing the device by locking the screen. Furthermore, the ransom is not set as a hardcoded value; instead, the amount that the attackers request in exchange for the promise of decrypting the files is created dynamically using the UserID assigned by the ransomware to the particular victim. This process results in a unique ransom amount, falling in the range of 0.01-0.02 BTC.

The trick with a unique ransom is novel: we haven’t seen it before in any ransomware from the Android ecosystem,” says Štefanko. “It is probably meant to assign payments to victims. This task is typically solved by creating a unique Bitcoin wallet for every encrypted device. In this campaign, we’ve only seen one Bitcoin wallet being used.

According to Lukáš Štefanko, users with devices protected by ESET Mobile Security are safe from this threat. “They receive a warning about the malicious link; should they ignore the warning and download the app, the security solution will block it.

This discovery shows that ransomware still poses a threat to Android mobile devices. To stay safe, users should stick to basic security principles:

  • Keep your devices up to date; ideally, set them to patch and update automatically so that you stay protected.
  • If possible, stick with Google Play or other reputable app stores. These markets may not be completely free from malicious apps, but you have a fair chance of avoiding them.
  • Prior to installing any app, check its ratings and reviews. Focus on the negative ones, as they often come from legitimate users, while positive feedback is often crafted by the attackers.
  • Focus on the permissions requested by the app. If they seem inadequate for the app’s functions, avoid downloading the app.
  • Use a reputable mobile security solution to protect your device.

For more details, read “Android ransomware is back” on WeLiveSecurity.com and follow ESET research on Twitter.