Flawed, but promising, Android ransomware uncovered

News by Doug Olenick

Researchers found ransomware family nicknamed Android/Filecoder.C, whioch uses victims' contact lists in an attempt to spread through SMS texts containing malicious links

Researchers have come across a new Android ransomware family, nicknamed Android/Filecoder.C. that uses victims’ contact lists in an attempt to spread through SMS texts containing malicious links.

According to ESET, Android/Filecoder.C. is poorly constructed and uses an encryption method that can be defeated without using the decryptor keys. However, the malicious actors did not get everything wrong: ESET researcher Lukáš Štefanko gave it kudos for its ability to spread.

"The new ransomware is notable for its spreading mechanism. Before it starts encrypting files, it sends a batch of text messages to every address in the victim’s contact list, luring the recipients to click on a malicious link leading to the ransomware installation file," he noted. In theory, this could lead to a flood of infections, he added, particularly since the malware uses messages in 42 different languages, widening its ability to snag victims.

So far, the developers behind Android/Filecoder.C. are primarily distributing the ransomware via malicious domains that unsuspecting victims are lured to via porn-related posts and comments on Reddit.

Štefanko said the scary aspect of Android/Filecoder.C is that if the creators decide to fix its flaws and the distribution becomes more advanced, the ransomware could become a serious threat.

ESET also found a few other oddities with this ransomware. During the encryption process, it ignores archives over 50MB in size and images smaller than 150Kb, and it also does not lock the device’s screen, as with typical Android ransomware. Additionally, its list of filetypes to encrypt contain types not found on Android devices, while some common Android extensions are not included at all.

But perhaps the strangest activity is how it decides on the ransom amount.

"The ransom is not set as a hardcoded value; instead, the amount that the attackers request in exchange for the promise of decrypting the files is created dynamically using the UserID assigned by the ransomware to the particular victim. This process results in a unique ransom amount, falling in the range of 0.01-0.02 BTC," the report said.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews