To avoid such SMS attacks, use temporary phone numbers and never indicate a personal number on suspicious sites
The Android ransomware, dubbed Android / Filecoder.C, has been active since at least July 12, when researchers discovered it through two domain links. These links were distributed mainly on online forums, including through Reddit in posts that were related to each other, or through a forum for Android developers called “XDA Developers” in sections related to technical topics.
“Using the victim’s contact lists, it spreads further via SMS with malicious links. Due to narrow targeting and campaign flaws, the impact of this new ransomware is limited, ”said Lucas Stefanko of ESET in the analysis of ransomware. “However, if operators start focusing on wider user groups, the Android / Filecoder.C ransomware could be a serious threat.”
In addition to online forums, researchers have discovered that malicious links are distributed via SMS. After the victim is infected, the ransomware also sends malicious domain links via SMS to the victim’s contact list. These SMS messages add a certain level of urgency and personalization to set up contacts for opening them, because they use the contact name specified in the SMS message and tell the contact that their photos are used in the sex simulation game.
“These reports include links to ransomware; in order to increase the interest of potential victims, the link is presented as a link to an application that allegedly uses photographs of potential victims, ”Stefanko said.
A link to a malicious application is sent to the targets, which must be manually installed by the victims. After launching the application, it displays everything that is promised through the posts it distributes - most often, an online simulator.
But behind the scenes, the ransomware activates, launches command-control communications, spreads malicious messages to other victims' contacts, and introduces an encryption and decryption mechanism. Android ransomware Android / Filecoder.C
The ransomware program encrypts various types of files, including DOC, PPT, JPEG and others. In this case, the malicious program leaves the files unencrypted if the file extension is .zip or .rar, and the file size exceeds 51,200 KB / 50 MB. In addition, JPEG, JPG, and PNG files with a file size of less than 150 KB are also not encrypted.
After encrypting the victim’s files, the ransomware displays a note in the application requesting a ransom with a request for payment in bitcoins. A ransom note warns that data will be lost after 72 hours, and that the files will not be decrypted, even if the application was deleted.
“It is true that if the victim uninstalls the application, the ransomware will not be able to decrypt the files, as indicated in the ransom note,” the researchers said. “In addition, according to our analysis, there is nothing in the ransomware code to support the claim that the affected data will be lost after 72 hours.”
Although researchers do not say how many of them were infected, when checking one such bit link distributed on Reddit, Stefanko said that it reached 59 clicks from different sources and countries.
Researchers have urged Android victims to avoid attacks by updating devices and keeping track of application downloads on Google Play. Android devices face many threats: a new generation of Android malware, called Agent Smith, has infected 25 million mobile phones to replace legitimate apps with doppelgangers that display fraudulent ads, researchers say. Researchers have also discovered a remote access Trojan for Android called Monokle, which uses the latest technology to exfiltrate data.