While Android ransomware has been declining since 2017, ESET researchers have discovered a new ransomware family that uses victims’ contact lists to spread further via SMS messages containing malicious links.
The new ransomware, referred to as Android/Filecoder.C, was distributed on adult content-related topics on Reddit and for a short time via the “XDA developers” forum.
The ESET researcher who led the investigation, Lukáš Štefanko provided further insight into the ransomware campaign the company discovered, saying:
“The campaign we discovered is small and rather amateurish. Also, the ransomware itself is flawed – especially in terms of the encryption which is poorly implemented. Any encrypted files can be recovered without help from the attackers. However, if the developers fix the flaws and the distribution becomes more advanced, this new ransomware could become a serious threat.”
Android/Filecoder.C gained the attention of ESET researchers because of its unique spreading mechanism. Before it starts encrypting files, the ransomware sends a batch of text messages to every address in a victim’s contact list that contains a malicious link to ransomware installation file.
In addition to its non-traditional spreading mechanism, Android/Filecoder.C contains a few anomalies in its encryption. The ransomware excludes large archives (over 50 MB) and small images (under 150 KB). It list of “fileytpes to encrypt” also contains many entries unrelated to Android while also lacking some of the extensions typical for Android which Štefanko believes is a direct result of its list being copied from the notorious WannaCry ransomware.
Unlike typical Android ransomware, Android/Filecoder.C does not prevent users from accessing their devices by locking the screen. Additionally the ransom is not set as a hardcoded value and instead the amount requested by the attackers is created dynamically using the UserID assigned by the ransomware to the particular victim. This process results in a unique ransom amount for each victim, falling in the range of 0.01 to 0.02 BTC.
To prevent falling victim to ransomware, ESET recommends that you keep your devices up to date, only download apps from Google Play or other reputable app stores, check the ratings and reviews of apps before installation, pay close attention to the permissions requested by an app and use a mobile security solution to protect your device.