Cybersecurity researchers have come across a new Android ransomware family distributed via various online forums. Dubbed Android/Filecoder.C by ESET the malware uses victims’ contact list in an attempt to spread through SMS texts containing malicious links.

Android/Filecoder.C has been active since at least July 2019 and is being spread through malicious posts in online forums including Reddit and the Android developer messaging board XDA Developers. 

The researchers discovered two domains that hosted malicious Android files. The attackers lured potential victims to these domains via porn related posts and comments on Reddit or technical topics on XDA Developers, which included links to malicious apps.

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list. The link is presented as a link to an app that supposedly uses the contact's photos while in reality it is a malicious app containing the ransomware. Depending on the device language setting, Filecoder will send messages in one of 42 possible language versions. To personalize the message the malware also will include the contact's name in it. 

If the victim clicks on the link and installs the app manually the app will display a promised material, most often it is a sex simulator online game, but its main purposes are C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism.

The app contains hardcoded command-and-control (C2) settings, as well as Bitcoin wallet addresses, within its source code and uses Pastebin service for dynamic retrieval. After sending text messages to entrants in victims’ contact list the malware will encrypt most of the files in the accessible device’s storage, excluding system files, and will display its ransom note with demands ranging from approximately $98 to $188 in cryptocurrency. However, it doesn’t encrypt files in directories that contain the strings “.cache”, “tmp”, or “temp”or files with extensions “.zip” or “.rar”. ESET also noticed a few oddities with this ransomware. For example, during the encryption process, Filecoder ignores files over 50MB in size and “.jpeg”, “.jpg” and “.png” files smaller than 150Kb, and unlike typical Android ransomware it does not lock the device’s screen. Additionally, its list of filetypes to encrypt includes types unrelated to Android and at the same time leaves out some typical Android extensions such as .apk, .dex, .so. The researchers believe that the list is no more than the copy of the list of the notorious WannaCry ransomware.

“Due to narrow targeting and flaws in execution of the campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat,” noted ESET researcher Lukas Stefanko.