While Android ransomware has been inactive since 2017, ESET researchers have discovered a new family of ransomware that uses victims' contact lists to spread further via SMS containing malicious links.
The new ransomware software, called Android / Filecoder.C, has been distributed on Reddit on topics related to adult content, as well as for a short time via the "XDA Developers" forum.
The ESET researcher who carried out the investigation, Lukáš Štefanko, provided additional information about the ransomware campaign uncovered by the company, stating:
"The campaign we discovered is small and quite amateurish. Furthermore, the ransomware itself is flawed, especially with regard to poorly implemented encryption. All encrypted files can be recovered without the help of attackers. However, if the developers correct them. failures and distribution becomes more advanced, this new ransomware could become a serious threat. "
Android / Filecoder.C
Android / Filecoder.C has attracted the attention of ESET researchers due to its unique transmission mechanism. Before starting to encrypt files, the ransomware sends a batch of text messages to each address in the victim's contact list that contains a malicious link to the ransomware installation file.
In addition to its non-traditional spreading mechanism, Android / Filecoder.C contains some anomalies in its encryption. The ransomware software excludes large files (greater than 50MB) and small images (less than 150KB). The list of "file types to encrypt" also contains many non-Android related entries, as well as some of the typical Android extensions that Štefanko says result directly from the copy of the respectable WannaCry ransomware list.
Unlike classic Android ransomware, Android / Filecoder.C does not prevent users from accessing their devices by locking the screen. Also, the ransom is not defined as a hard-coded value. The amount requested by the attackers is dynamically created using the user ID assigned by the ransomware to the victim. This process results in an individual ransom amount for each victim, ranging from 0.01 to 0.02 BTC.
To avoid being a victim of ransomware, ESET recommends that you keep your devices up to date, download only applications from Google Play or other reputable application stores, check ratings and reviews of applications before installation, to pay special attention to the permissions requested by an app. and use a mobile security solution to protect your device.