New ransomware designed to attack Google’s Android OS utilizes SMS messaging to spread.
ESET’s Cyberspace Professionals revealed its investigation into new malware, dubbed Android / Filecoder.C, which indicates the end of a two-year decline in new Android malware detectors.
Filecoder is active from at least July 12, 2019, and Reddit and Android Developer Messaging Board is spreading through malicious posts in online forums including XDA developers.
Most of the malicious posts and comments received by ESET attempts to lure victims to download malware to hide the domain with pornographic content and bits.
Once installed on the Android mobile device, FILECODER plunders the contact list of the victim and sends a text message to every entrant. The link has been advertised as an app, which has clearly used photos of the contact, while in fact, it is a malicious app that is distributing ransomware.
Based on the language setting of the infected device, the messages will be sent in one of 42 possible language versions, and the name of the contact is also automatically included in the message. If the link is clicked and the malicious app is installed manually, it often displays content like a sex simulator. However, the real purpose is quietly running in the background.
The app contains hardcoded Command-and-Control (C2) settings, as well as bit wheel Wallet addresses, which are within its source code. However, Pastebin is used by the attackers as a conduit for dynamic retrieval.
Once the promotion message is sent, Filecoder then scans the infected device to find all the storage files and encrypts most of them. The Filecoder will encrypt file types with text files and pictures but fails to include Android-specific files like .apk or .dex.
ESET believes that the encryption list is more than a copy-and-paste job from WannaCry, a far more serious and profound form of ransomware.
A ransom note is displayed, in which cryptocurrency demands about $ 100 to $ 200. There is no evidence that files will be lost after the threat of time.
The malware device does not lock the screen or prevents the smartphone from using, but if a victim removes the app, the files will not be decrypted through the demand of blackmail — but due to “faulty encryption”, the researchers say It is still possible to recover files without paying.
While encrypting the contents of the device, FILECODER creates a public and private key pair. The private key is encrypted with an RSA algorithm and a hardcode value that is sent to operator’s C2. Therefore, if a victim pays, then the attacker can decrypt the private key and release it to the victim.
However, the researchers say that hardcoded key value can be used to “decrypt files without blackmailing fees,” without changing the “Encryption algorithm to decryption algorithm”, and all you need is a user who suffers from ransomware Is provided to Note of Ransom.