It can be ransomware attacking Android have been on a downward trend since 2017, however recently, its researchers ESET discovered a new family, the Android / Filecoder.C, which uses the victims' contact list and tries to spread further through SMS with malicious links.
This new one ransomware spreads to Reddit through topics with pornographic content. THE ESET has reported the malicious profile used in its proliferation campaign ransomware, however it is still active. For a short time, the campaign had also run on "XDA developers», A forum for developers Android.
According to her report ESET, the cybercriminals who handle it ransomware, have removed the malicious posts.
"The campaign we discovered is small and rather amateurish. However, if it improves infection techniques, this new ransomware could become a serious threat ", comments her researcher ESET Lukš Štefanko, head of research.
Android / Filecoder.C uses interesting spreadsheets. Before you start encrypting files, multiple text messages are sent to each address in the victim's contact list, prompting recipients to click on a malicious link that leads to the file for installation. ransomware.
"Theoretically, infinite infections can occur, as in fact this malicious message is available in 42 languages (ss: and in Greek as you can see in the picture above). "Fortunately, even users who are less suspicious can understand that the messages are not translated correctly and in some languages do not seem to make sense." Lukš Štefanko.
In addition to its non - traditional mechanism of spread, the Android / Filecoder.C has some anomalies in its encryption. Ε
extracts large files (over 50 MB) and small images (below 150 kB), while the list of "file types for encryption" contains many entries that are not related to Android, while missing some of the extensions that are common for Android.
"Obviously, the list has been copied from the infamous ransomware WannaCry", Observes Štefanko.
There are other interesting facts about the unorthodox approach used by the developers of this malware. Unlike the standard ones ransomware for AndroidThe Android / Filecoder.C does not prevent the user from accessing the device by closing the screen. In addition, no specific amount has been set as a ransom.
Instead, the amount demanded by attackers in return for the promise of decrypting files is dynamically generated using UserID which has determined the ransomware for the specific victim. This process results in the ransom amount being unique each time, ranging from 0,01-0,02 BTC.
The trick with the unique ransom is unprecedented: we have never seen it before ransomware targeting the ecosystem Android» says Štefanko. "Rather, the goal is to identify payments per victim, which is usually solved by creating a unique wallet. Bitcoin for each encrypted device. In this campaign, we detected that only one wallet was used Bitcoin.
According to Lukš Štefanko, users with devices protected by ESET Mobile Security they are not in danger from this threat. "They are receiving notification of the malicious link. "Even if they ignore the warning and download the application, the security solution will block it."
Sail Safe: This discovery shows that ransomware is still a threat to mobile devices Android. To stay safe, users must adhere to basic safety principles:
Always keep their devices up to date, ideally setting them to be updated automatically.
It is better to prefer the Google Play or other trusted app stores. They may not be completely free of malicious applications there either, but they are more likely to avoid them.
Before installing any application, check the ratings and reviews, focusing on the negatives, as they often come from regular users, while positive feedback is often created by cybercriminals.
Pay special attention to the rights requested by the application and avoid receiving it, if these seem disproportionate to the functions of the application.
Use a reliable mobile security solution to protect your device.
For more information, read the relevant blog on We Live Security.