The prevalence of Android ransomware is back as announced by a group of cybersecurity researchers who discovered that a new family of ransomware is circulating through SMS and other messaging services, targeting Google’s Android mobile operating system.
The ransomware was discovered by researchers from ESET, a cybersecurity firm, and they revealed that Android/Filecoder.C is ransomware that marks the end of a two-year decline in new Android malware detections.
Researchers said that Filecoder is spread through malicious posts in online forums including Reddit and the Android developer messaging board XDA Developers. Evidence suggests that the ransomware has been active since July 12, 2019.
“After two years of decline in Android ransomware, a new family has emerged. We have seen the ransomware, detected by ESET Mobile Security as Android/Filecoder.C, distributed via various online forums,” the researchers wrote in a blog post.
The ransomware was said to utilize victims’ contact lists; it spreads further via SMS with malicious links. However, the researchers believe that the reach of the ransomware is very narrow, and there are flaws in its execution, making the impact of the ransomware “very limited.”
Nonetheless, according to researchers, if the developers of the ransomware decide to use a broader target list, the newly discovered Filcoder could be “a serious threat.”
How does the ransomware spread?
The researchers believe that the Filecoder ransomware ais being distributed through “malicious posts on Reddit and the “XDA Developers” forum” which then further spread by SMS containing the malicious link to all the contacts in the victim’s contact list.
“The campaign we discovered is based on two domains (see the IoCs section below), controlled by the attackers, that contain malicious Android files for download. The attackers lure potential victims to these domains via posting or commenting on Reddit or XDA Developers,” the researchers penned.
After the malware has been sent to many people, they encrypt most user files on the device and requests a ransom – classic ransomware, MO.
Researchers also believed that the attackers are enticing Redditors using porn topics as they are using porn-related messaging in spreading the ransomware. “Mostly, the topics of the posts were porn-related; alternatively, we’ve also seen technical topics used as a lure. In all comments or posts, the attackers included links or QR codes pointing to the malicious apps,” they said.
In one of the malicious links, the researchers found that the threat actors are using the URL shortening from Bit.ly, which effectively masked the site’s URL. The bit.ly link was created Jun 11, 2019, and had reached 59 clicks from different sources and countries.
Furthermore, since the attackers are using SMS to spread the malware, they also lure the supposed victims into opening the ransomware-laced message by posing as an app that claims to have sensitive photos of the victim.
To make it appear more personal, the attackers are also switching back and forth between the 47 language versions of the malicious message and adopt the message to the language settings of a device. To personalize these messages further, the malware prepends the contact’s name to them.
Once received by the potential victim, the link should have been opened and installed manually for it to work. After the app is launched, it displays whatever is promised in the posts distributing it – most often, it’s a sex simulator online game. But unbeknownst to the user, the main purpose of the link they installed is C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism.
“As for C&C communication, the malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free Pastebin service,” the researchers said.
The ransom note sent by the attackers to the victim states that if they remove the ransomware from the system by uninstalling it, the ransomware could no longer decrypt their files. Researchers confirmed that this might be the case.
The ransom note, as noted by the researchers, is also “dynamic.” The first part of what will be the number of bitcoins to be requested is hardcoded – the value is 0.01 – while the remaining six digits are the user ID generated by the malware.
Once the victim pays 0.01 BTC, which roughly exchanges to around $98, the attackers will provide the decryption key the victim once they verified the payment.