31 July 2019

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

Cybersecurity researchers have come across a new Android ransomware family distributed via various online forums. Dubbed Android/Filecoder.C by ESET the malware uses victims’ contact list in an attempt to spread through SMS texts containing malicious links.

Android/Filecoder.C has been active since at least July 2019 and is being spread through malicious posts in online forums including Reddit and the Android developer messaging board XDA Developers. 

The researchers discovered two domains that hosted malicious Android files. The attackers lured potential victims to these domains via porn related posts and comments on Reddit or technical topics on XDA Developers, which included links to malicious apps.

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list. The link is presented as a link to an app that supposedly uses the contact's photos while in reality it is a malicious app containing the ransomware. Depending on the device language setting, Filecoder will send messages in one of 42 possible language versions. To personalize the message the malware also will include the contact's name in it. 

If the victim clicks on the link and installs the app manually the app will display a promised material, most often it is a sex simulator online game, but its main purposes are C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism.

The app contains hardcoded command-and-control (C2) settings, as well as Bitcoin wallet addresses, within its source code and uses Pastebin service for dynamic retrieval. After sending text messages to entrants in victims’ contact list the malware will encrypt most of the files in the accessible device’s storage, excluding system files, and will display its ransom note with demands ranging from approximately $98 to $188 in cryptocurrency. However, it doesn’t encrypt files in directories that contain the strings “.cache”, “tmp”, or “temp”or files with extensions “.zip” or “.rar”. ESET also noticed a few oddities with this ransomware. For example, during the encryption process, Filecoder ignores files over 50MB in size and “.jpeg”, “.jpg” and “.png” files smaller than 150Kb, and unlike typical Android ransomware it does not lock the device’s screen. Additionally, its list of filetypes to encrypt includes types unrelated to Android and at the same time leaves out some typical Android extensions such as .apk, .dex, .so. The researchers believe that the list is no more than the copy of the list of the notorious WannaCry ransomware.

“Due to narrow targeting and flaws in execution of the campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat,” noted ESET researcher Lukas Stefanko.

 

Back to the list

Latest Posts

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

The Iranian state-sponsored hackers Charming Kitten employed new spear-phishing methods in a campaign observed in August and September.
10 October 2019
Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

It is estimated that more than 6,500 sites are affected, that number could be even higher.
10 October 2019
Featured vulnerabilities
Remote code execution in Bento4 media player
High Not Patched | 13 Oct, 2019
Use-after-free in libvips library
Medium Patched | 13 Oct, 2019
Denial of service in MATIO
Low Not Patched | 13 Oct, 2019
Cross-site scripting in Openfire
Low Patched | 12 Oct, 2019