Show vulnerabilities with patch / with exploit
31 July 2019

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums


New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

Cybersecurity researchers have come across a new Android ransomware family distributed via various online forums. Dubbed Android/Filecoder.C by ESET the malware uses victims’ contact list in an attempt to spread through SMS texts containing malicious links.

Android/Filecoder.C has been active since at least July 2019 and is being spread through malicious posts in online forums including Reddit and the Android developer messaging board XDA Developers. 

The researchers discovered two domains that hosted malicious Android files. The attackers lured potential victims to these domains via porn related posts and comments on Reddit or technical topics on XDA Developers, which included links to malicious apps.

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list. The link is presented as a link to an app that supposedly uses the contact's photos while in reality it is a malicious app containing the ransomware. Depending on the device language setting, Filecoder will send messages in one of 42 possible language versions. To personalize the message the malware also will include the contact's name in it. 

If the victim clicks on the link and installs the app manually the app will display a promised material, most often it is a sex simulator online game, but its main purposes are C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism.

The app contains hardcoded command-and-control (C2) settings, as well as Bitcoin wallet addresses, within its source code and uses Pastebin service for dynamic retrieval. After sending text messages to entrants in victims’ contact list the malware will encrypt most of the files in the accessible device’s storage, excluding system files, and will display its ransom note with demands ranging from approximately $98 to $188 in cryptocurrency. However, it doesn’t encrypt files in directories that contain the strings “.cache”, “tmp”, or “temp”or files with extensions “.zip” or “.rar”. ESET also noticed a few oddities with this ransomware. For example, during the encryption process, Filecoder ignores files over 50MB in size and “.jpeg”, “.jpg” and “.png” files smaller than 150Kb, and unlike typical Android ransomware it does not lock the device’s screen. Additionally, its list of filetypes to encrypt includes types unrelated to Android and at the same time leaves out some typical Android extensions such as .apk, .dex, .so. The researchers believe that the list is no more than the copy of the list of the notorious WannaCry ransomware.

“Due to narrow targeting and flaws in execution of the campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat,” noted ESET researcher Lukas Stefanko.

 

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020