Information security experts have detected a new virus on Android - the Android/Filecoder C - that extorts money from users of Android-based devices, the antivirus company ESET stated on its website. A new family of ransomware is being distributed via a plethora of online platforms and forums, where it grabs hold of victims’ contact lists and spreads via SMS messages with malicious links.
After the ransomware sends out the messages, it encrypts most user files on the device and requests that a ransom be paid – a dynamic number consisting of, first, the amount of bitcoins demanded (the value is 0.01, which makes it fall in the range of US$94-188 ), while the last six digits are the user ID generated by the malware.
The attackers based their illicit campaign on basically two domains that invite the Android OS to download harmful files, luring potential targets to use the domains via posting or commenting on Reddit or XDA Developers.
The topics were found to be largely porn-related, appealing to the raunchy side of human nature, or, alternatively, having to do with innovative technology. For instance, the Reddit and XDA forum posts “promote” the malicious app as a free sex simulation online game that serves as bait to take the targets off guard in order to get them download the malware-ridden app.
All the comments or posts include direct links or bar codes leading to the money-extorting apps, which are reportedly capable of encrypting a wide array of file types from accessible storages, including general text files and images, without grabbing, however, Android extensions like .apk and .dex as well as compressed files based on the .zip and .rar formats.
"To maximise its reach, the ransomware has the 42 language versions of the message template [...]. Before sending the messages, it chooses the version that fits the victim device’s language setting”, ESET found, stating that to personalise these messages, the malware prepends the contact’s name to them".
The code to decrypt the encrypted personal files, including “potential victims’ photos”, is in turn present on the ransomware, so that when the victim pays out the ransom, the ransomware operator can verify it via the website and send a private key to decrypt the files.
As reported by We Live Security, it appears that if the affected user opts to remove the app after receiving a ransom note, the malware will not be able to decrypt the files, as stated in the ransom note. Separately, according to an analysis conducted by the media outlet, there is hardly anything in the ransomware code to underpin the claim that the affected data will be deleted after 72 hours.
It is assumed that if the virus operators start targeting broader audiences, the Android/Filecoder C, which has been on the loose since at least 12 July, may potentially pose a serious danger. According to the ESET statement, should users ignore the warning they get on their display about the harmful content of the link and proceed to download the app, the security solution will block it, while it remains unclear how well users of other antivirus software are protected.