Security researchers have discovered a new type of ransomware that targets Android users and infects victim’ contact in their phone contacts via SMS. Security vendor ESET researcher Lukas Stefanko discovered this new ransomware called Android/Filecoder.C in July, which appeared on Reddit and the Android Developer Forum XDA Developer, and was distributed in large numbers through victim phones.
In the beginning, hackers posted pornographic or technical-themed content links, QR codes or short URLs on the two sites mentioned above, enticing users to connect to two domains controlled by an attacker to download malware. Once downloaded to the Android phone, Filecoder.C encrypts most of the user files on the phone for ransom and sends a bulk message to maliciously link the contact information in the victim’s phone for further dissemination.
Researchers analyzed that from June to July, 59 people had been scammed into this malicious website by bit.ly short URL. And in order to expand the infection, Filecoder.C also has a message template in 42 languages. Sending a message to a friend will select the same language as the device setting, and will also add the contact name at the beginning of the message to make the letter more customizable.
When an unsuspecting friend receives a message and clicks on the link, it is directed to a malicious app, and the victim must be manually installed. Once the app is opened, it will display the processed porn photos. This is actually a finished product of a pornographic analog online game. But in fact, the malicious is still behind: This process mainly downloads Filecoder.C.
However, its main purpose is to establish a C&C connection, find the device disk space, encrypt almost all files, and then extort bitcoins worth US$94-188. “The ransomware also leaves files unencrypted if the file extension is “.zip” or “.rar” and the file size is over 51,200 KB/50 MB, and “.jpeg”, “.jpg” and “.png” files with a file size less than 150 KB.”
The researchers said in the statement on Tuesday, pointing out that the key is a very difficult RSA-1024 public key. This means that after the infection, it is almost impossible to recover files the file without paying.