Android ransomware may be on the decline since 2017 – but recently, ESET
researchers discovered a new ransomware family, Android/Filecoder.C. Using
victims’ contact lists, it attempts to spread further via SMSes with malicious
links.
The new ransomware was
seen distributed via porn-related topics on Reddit. The malicious profile used
in the ransomware-distributing campaign was reported by ESET but is still
active. For a short period of time, the campaign had also run on the “XDA
developers” forum, a forum for Android developers; based on ESET’s report, the
operators removed the malicious posts.
“The campaign we discovered is small and rather
amateurish. Also, the ransomware itself is flawed – especially in terms of the
encryption which is poorly implemented. Any encrypted files can be recovered
without help from the attackers,” comments Lukáš Štefanko, ESET researcher who led the
investigation. “However, if the
developers fix the flaws and the distribution becomes more advanced, this new
ransomware could become a serious threat.”
The new ransomware is
notable for its spreading mechanism. Before it starts encrypting files, it sends
a batch of text messages to every address in the victim’s contact list, luring
the recipients to click on a malicious link leading to the ransomware
installation file. “In theory, this can
lead to a flood of infections – more so that the malware has 42 language
versions of the malicious message. Fortunately, even non-suspecting users must
notice that the messages are poorly translated, and some versions do not seem
to make any sense,” comments Lukáš Štefanko.
Besides its
non-traditional spreading mechanism, Android/Filecoder.C has a few anomalies in its encryption. It excludes
large archives (over 50 MB) and small images (under 150 kB), and its list of
“filetypes to encrypt” contains many entries unrelated to Android while also
lacking some of the extensions typical for Android. “Apparently, the list has been copied from the notorious WannaCry
ransomware,” observes Štefanko.
There are also other
intriguing elements to the unorthodox approach which the developers of this
malware have used. Unlike typical Android ransomware, Android/Filecoder.C
doesn’t prevent the user from accessing the device by locking the screen.
Furthermore, the ransom is not set as a hardcoded value; instead, the amount
that the attackers request in exchange for the promise of decrypting the files
is created dynamically using the UserID assigned by the ransomware to the
particular victim. This process results in a unique ransom amount, falling in
the range of 0.01-0.02 BTC.
“The trick with a unique ransom is novel: we haven’t
seen it before in any ransomware from the Android ecosystem,” says Štefanko. “It is probably meant to assign payments
to victims. This task is typically solved by creating a unique Bitcoin wallet
for every encrypted device. In this campaign, we’ve only seen one Bitcoin
wallet being used.”
According to Lukáš
Štefanko, users with devices protected by ESET Mobile Security are safe from
this threat. “They receive a warning
about the malicious link; should they ignore the warning and download the app,
the security solution will block it.”
This discovery shows
that ransomware still poses a threat to Android mobile devices. To stay safe,
users should stick to basic security principles:
- Keep your
devices up to date, ideally set them to patch and update automatically so
that you stay protected.
- If
possible, stick with Google Play or other reputable app stores. These
markets may not be completely free from malicious apps, but you have a
fair chance of avoiding them.
- Prior to
installing any app, check its ratings and reviews. Focus on the negative
ones as they often come from legitimate users, while positive feedback is
often crafted by the attackers.
- Focus on
the permissions requested by the app. If they seem inadequate for the
app’s functions, avoid downloading the app.
- Use a
reputable mobile security solution to protect your device.
For more information read We Live Security blog.