A new family of ransomware designed to attack Google's Android mobile operating system utilizes SMS messaging to spread, researchers say.
On Monday, cybersecurity professionals from ESET revealed their investigation into the new malware, dubbed Android/Filecoder.C, that earmarks the end of a two-year decline in new Android malware detections.
Filecoder has been active since at least July 12, 2019, and is being spread through malicious posts in online forums including Reddit and the Android developer messaging board XDA Developers.
The majority of the malicious posts and comments found by ESET attempt to lure victims into downloading the malware by associating with pornographic material and disguising domains with bit.ly links.
Once installed on an Android mobile device, Filecoder plunders the victim's contact list and sends text messages to every entrant. The link is advertised as an app which has apparently used the contact's photos, whereas, in reality, it is a malicious app harboring the ransomware.
Depending on the infected device's language setting, the messages will be sent in one of 42 possible language versions, and the contact's name is also included in the message automatically.
If the link is clicked and the malicious app is installed manually, it often displays material such as a sex simulator. However, the real purpose is quietly running in the background.
The app contains hardcoded command-and-control (C2) settings, as well as Bitcoin wallet addresses, within its source code. However, Pastebin is used by the attackers as a conduit for dynamic retrieval.
Once the propagation messages have been sent, Filecoder then scans the infected device to find all storage files and will encrypt the majority of them. Filecoder will encrypt file types including text files and images but fails to include Android-specific files such as .apk or .dex.
ESET believes that the encryption list is no more than a copy-and-paste job from WannaCry, a far more severe and prolific form of ransomware.
A ransom note is then displayed, with demands ranging from approximately $98 to $188 in cryptocurrency. There is no evidence that files will be lost after the time threatened.
The malware does not lock the device screen or prevent a smartphone from being used, but if a victim removes the app, the files will not be decrypted through the blackmail demand -- but due to "flawed encryption," the researchers say it is still possible to recover files without paying up.
Filecoder generates a public and private key pair when encrypting a device's contents. The private key is encrypted with an RSA algorithm and a hardcoded value which is sent to the operator's C2. Therefore, if a victim pays up, the attacker can decrypt the private key and release it to the victim.
However, the researchers say that the hardcoded key value can be used to decrypt files without paying the blackmail fee by "changing the encryption algorithm to a decryption algorithm," and all you need is the UserID which is provided by the ransomware to the victim in the ransom note.
"Due to narrow targeting and flaws in both execution of the campaign and implementation of its encryption, the impact of this new ransomware is limited," ESET says. "However, if the developers fix the flaws and the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat."
Previous and related coverage
- Anubis Android banking malware returns with extensive financial app hit list
- Android spyware campaign spreads across the Middle East
- This Android malware can take photos and videos and spy on your app history
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0