- The malware does not encrypt files that have ‘zip’ or ‘rar’ extension.
- It also leaves the file unencrypted if its size is over 51,200 KB/50 MB and ‘.jpeg’, ‘.jpg’ and ‘.png’ files with less than 150KB.
A new Android ransomware family, dubbed Android/Filecoder.C, has been found making attempts to infect users. The malware is leveraging unusual tricks to propagate to a victim’s device.
How does it spread?
Discovered by ESET Mobile Security, the malware is distributed via various online forums. The malware has been active since at least July 12, 2019. Within a few days of its discovery, the researchers managed to extract samples of the malware from several posts shared on Reddit and the ‘XDA Developers’ forum.
These posts were created around topics that would lure common users. All of these posts included links or QR codes pointing to the malicious apps. Soon after the discovery, the malicious posts on the XDA Developers forum were removed.
To boost its propagation, Android/Filecoder.C uses the victim’s contact lists and spreads further via SMS with malicious links. This includes links to the ransomware, although they are presented as links to apps. Further to maximize the reach, the ransomware has 42 versions of the message template.
“Before sending the messages, it chooses the version that fits the victim device’s language setting. To personalize these messages, the malware prepends the contact’s name to them,” wrote the researchers.
What are its capabilities?
Once the ransomware sends out a batch of malicious SMSes, it encrypts most of the user files and requests a ransom. Android/Filecoder.C uses an asymmetric and symmetric algorithm to encrypt files. While encrypting files, the ransomware generates a new AES key for each file that will be encrypted.
The malware does not encrypt files that have ‘zip’ or ‘rar’ extension. It also leaves the file unencrypted if its size is over 51,200 KB/50 MB and ‘.jpeg’, ‘.jpg’ and ‘.png’ files with less than 150KB.
Mobile Operating System Market Share Sri Lanka
A new Android threat was recently discovered by ESET researchers, and it has a quirky adult theme that might be enough to sucker unsuspecting users into installing it.
The number of reported cases so far is low, but it’s still important to be aware of the what’s going on and make sure you’re doing everything you can to prevent this ransomware from spreading.
How Filecoder.C ransomware works
The ransomware, known as Android/Filecoder.C, first appeared on Reddit and forum threads via HTML links and QR codes. It’s typically disguised as adult content or a sideloadable “sex simulation” VR app. In actuality, the infected .APKs dump ransomware on your device that then attempts to spread itself via SMS messages to an afflicted user’s stored contacts.
After sending the texts, Filecoder.C encrypts and locks users out of almost every file on their phones, rendering them unusable. It then requests a Bitcoin ransom in order to regain control. Based on Welivesecurity’s dissection of the app’s code, the exact ransom could fall anywhere between about $90 to $190—or even higher, depending on bitcoin’s current value.
While the encryption and ransom appear to be real, the app also claims it will delete the ransomed data after 72 hours. Welivesecurity was unable to confirm if this is true. What it did confirm, however, is that Filecoder.C uses an encryption method that is difficult to crack—worse, deleting the ransomware app doesn’t undo the ransom. You can read Welivesecurity’s report for a full explanation.
Tips for avoiding ransomware and other malware
Again, Filecoder.C doesn’t appear to have spread very far just yet, but it’s still in active circulation. Here are some tips to keep yourself safe from this and other nasty Android malware:
Be suspicious of random texts and links from your contacts
- The fake texts sent from Filecoder.C claim that compromising photos of you are showing up on other apps, but unless you’ve been cavalier about sharing such content, that’s highly unlikely.
- These texts will look and sound strange to begin with, so you should be able to tell that your friend actually didn’t send it. If the text is from someone you don’t talk to regularly, that’s even more reason to avoid clicking any links the message contains.
- When in doubt, don’t download click on obscure links or install .APKs because your friends texted you them out of the blue. Call up your friend and ask what’s up—you might even do them a favor by alerting them to their own malware infection.
Decode QR codes and check HTML link sources before you scan or click them
- The free QR Code Desktop Reader & Generator lets you see what a QR code is before you scan it. This tool alone isn’t enough to keep you safe, but it at least helps you see what codes are going to do before you open them up.
- For HTML links—especially short links like bit.ly links—use a service like ScanURL to diagnose them.
- An easy way to spot suspicious/fake full-length HTML links at a glance is excessive “%” symbols in the URL.
Following the above steps is helpful, but we also would recommend to just avoid HTML links and QR codes entirely if they feel odd or you can’t confirm what they are.
Don’t download or install random APK files
- Stick to verified app stores or trusted sites like APK Mirror.
- Malware and ransomware are especially notorious for pretending to be adult content. Take extra caution with these links, and don’t install weird-sounding naughty apps—especially if you’re sideloading them onto your device.
- Use an anti-virus app to prevent malicious apps from being installed.