Her researchers ESET discovered a new family of ransomware attacking Android, the Android / Filecoder.C, which uses the victims' contact list and tries to spread further through SMS with malicious links.
Τthis new ransomware is spreading on Reddit through pornographic content. ESET has reported the malicious profile used in the ransomware spread campaign, but it is still active. For a short time, the campaign had also run on "XDA developers", a forum for Android developers. According to the ESET report, cybercriminals operating ransomware have removed the malicious posts.
Android / Filecoder.C uses interesting spreadsheets. Before file encryption begins, multiple text messages are sent to each address in the victim's contact list, prompting recipients to click on a malicious link that leads to the ransomware installation file. "Theoretically, endless infections can occur, as this malicious message is available in 42 languages. Fortunately, even the least suspicious users can understand that the messages are not properly translated and in some languages do not seem to make sense, "said Lukáš Štefanko, head of research.
In addition to its non-traditional deployment mechanism, Android / Filecoder.C has some anomalies in its encryption. Excludes large files (over 50 MB) and small images (below 150 kB), while the list of "file types for encryption" contains many entries that are not related to Android, while some of the extensions that are common for Android are missing . "Obviously, the list has been copied from the infamous WannaCry ransomware," Štefanko notes.
There are other interesting facts about the unorthodox approach used by the developers of this malware. Unlike standard ransomware for Android, Android / Filecoder.C does not prevent the user from accessing the device by closing the screen. In addition, no specific amount has been set as a ransom. Instead, the amount that attackers ask for in exchange for the promise of decrypting the files is dynamically generated using the UserID that ransomware has specified for that victim. This process results in the ransom amount being unique each time, ranging from 0,01-0,02 BTC.
«The trick with the unique ransom is unprecedented: we have never seen it in any ransomware targeting the Android ecosystem", Says ftefanko. «Rather, the goal is to identify payments per victim, which is usually solved by creating a unique Bitcoin wallet for each encrypted device. In this campaign, we detected that only one Bitcoin wallet was used».
According to Lukáš ftefanko, users of devices protected by ESET Mobile Security are not at risk from this threat. «They receive notification about malicious link. Even if they ignore the warning and download the application, the security solution will block it».
[the_ad_group id = ”966 ″]ΜDo not forget to join (register) in our forum, which can be done very easily by the following button…
(If you already have an account in our forum you do not need to follow the registration link)
Follow us on Telegram!
