New Filecoder Android Ransomware Uses Salacious Content To Coordinate SMS Attacks

Texting Ransomware
Security researchers at ESET have discovered an active ransomware campaign targeting Android users, thus ending a two-year decline in this form of malware in Google's mobile ecosystem. And unlike past ransomware campaigns, this one employs "some unusual tricks" to attract victims, and then spreads to contacts through text messaging.

ESET is calling this ransomware strain Android/Filecoder.C (just Filecoder from here on out). It is primarily distributed by way of malicious posts on Reddit and the XDA Developers forum, the latter of which is a popular hangout for Android developers and enthusiasts. These posts lure victims by promising salacious material, such as porn-related content and sex simulators, and hide behind QR codes and shortened links.

Those are all red flags, of course, and those who ignore them can end up with a compromised handset. Filecoder attacks generally do deliver on the promised content, but it is to conceal the app's true purposes, which are to communicate with command and control (CC) servers, spread messages to contacts, and encrypt certain files.

"The malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free Pastebin service," ESET explains.

Filecoder Android Ransomware
Source: ESET (WeLiveSecurity)

Once installed, Filecoder first contacts every person on a user's phone via text message. It then goes through files on accessible storage and encrypts most of them, save for ZIP and RAR files. The ransomware also ignores temporary files, file sizes over 50MB, and JPEGs and PNGs less than 150KB.

Based on the current exchange rate of Bitcoin, the ransom typically amounts to $94 to $188. The ransomware warns that uninstalling the malicious application will result in it not being able to decrypt files, and ESET says its analysis shows that claim to be true. However, ESET found no evidence that affected data actually gets deleted after 72 hours.

This is all concerning, though relatively easy to avoid with some commonsense practices. For example, only downloading apps from trusted sources is always advised, and users should pay attention to the permissions an app asks for. In addition, anyone who receives an SMS message to an application should avoid installing it, because of situations like this one.