Security researchers have spotted a new ransomware family that is targeting Android smartphones. However, this family of ransomware malware is quite unique than the rest in the past. Unlike past ransomware malware aimed at Android, this one uses text messages to spread to other devices. The ransomware sends text messages with malicious links to all the contacts on the infected smartphone. According to researchers, the malware is currently aiming at Android devices running Android 5.1 Lollipop or later. The security researchers who discovered the ransomware have classified it as Android/Filecoder.C (FileCoder).
Android ransomware FileCoder details
According to a report by cybersecurity company ESET, security researchers initially spotted the ransomware injecting malware on July 12. People trying to infect smartphones of unsuspecting Android users were trying to distribute the payload through posts on XDA Developers and Reddit. The report noted that XDA Developers removed the malicious posts after they were notified about the issue. However, the threads on Reddit were still up. The report added that people behind FileCoder are using two servers to distribute the ransomware. They have linked the payload to both the text messages sent and the Reddit and XDA posts.
#BREAKING New #Android #ransomware named Android/Filecoder has been discovered by #ESETresearch Using victim’s contact list, it spreads further via SMS with malicious links. #cybersecurity @LukasStefanko fighting #cybercrime https://t.co/aXS2Hx5eyU pic.twitter.com/Y1H9vIXBKL
— ESET research (@ESETresearch) July 29, 2019
They have also linked QR codes so that a device can easily get access to the infected APK file. The report also revealed that the developers of the malware are disguising the ransomware app as a free sex simulator online game. A separate report by BleepingComputer revealed that the ransomware app asks for a number of permissions when installed. These include setting the wallpaper, writing and reading the external storage, reading contacts, internet, sending SMS, and “receive boot completed”. To ensure that the ransomware can impact as many users as possible, the malware makers have added message templates in 42 different languages. It takes the device language setting and sends the appropriate message.
Some Weird behavior for a ransomware
Digging deeper, the ransomware asks its victims to submit Bitcoin and provide the bitcoin addresses. The amount of ransom ranges between $94 to $188.It also provides a warning of 72 hours or three days to paid or lose access to the date. However, the code of the ransomware does not indicate that it can remove any date. The IP address of the commanding server is put inside the code. However, developers can also change it to a new value with the help of “Pastebin” service.
ESET revealed that the malware first sends the SMS message to the contact list and then starts encrypting the files. It changes the extension of all the non-system files to .seven. The ransomware will leave the file encrypted if it is more than 50MB in size. The report also noted that the ransomware will leave the files if they have .zip, .rar, .jepg, .jpg, or .png extensions with less than 150kb side. ESET revealed that the ransomware maker seems to have copied the file types to encrypt using the notorious WannaCry copy WannaCryptor.