New Ransomware for Android Infect Its Victims uses SMS Spam
By Chaitra V M
Hackers use different ways to breach into a smartphone using viruses, malware, worms, Trojan horses, phishing, etc and gain access to the personal information.
Android devices are targeted by a new ransomware family by spreading to other victims by sending text messages containing malicious links to the entire contact list.
This ransomware malware differs than the rest. Unlike the past ransomware malware, this one uses text messages to spread to other devices in Android.
A malicious link is sent to all the contacts on the infected smartphone device by text message using this ransomware. Android devices running Android 5.1 Lollipop or the versions above are mainly targeted by this malware. The security researchers who discovered the ransomware have classified it as Android/Filecoder.C (FileCoder).
After the malicious link is sent by SMS, it encrypts most user files on the device and requests a ransom. Because of the flawed encryption, the affected files are possible to decrypt without any assistance from the attacker. The malware does not encrypt files that have ‘rar’ or ‘zip’ extension.
The malware is distributed via various online forums.Since July 12, 2019 the malware has been active. After few days of discovery,samples of the malware were extracted by researchers from several posts shared on XDA Developers and Reddit forum.
Two Servers were used to distribute the ransomware by the developers of FileCoder’s, with malicious payloads being linked to the text messages sent to the victims’ entire contact list and from the forum’s posts
The samples of the ransomware are linked with the help of QR codes which makes it faster for mobile users to get the malicious APKs on the devices and install them on the devices.
The malicious app is promoted as a free sex simulator online game by the forum’s posts which should also lower the potential targets’ guard enough to get them to download and install the ransomware-ridden app on their devices.
The victims contact list is used by Android/Filecoder.C and spreads further via SMS with malicious links. The ransomware has 42 versions of the message template, to maximize the reach.
FileCoder spreads itself via SMS to the victim’s contact list before starting to encrypt files on all the folders on the device’s storage it can get access to, the .seven extension is appended to the original file names and the system files will be skipped.
Symmetric and Asymmetric algorithms are used by Android/Filecoder.C to encrypt files. The ransomware generates a new AES key, while encrypting files.
The ransomware also leaves files unencrypted if the file extension is “.rar” or “.zip” and “.jpg”, “.jpeg” and “.png” files with size more than 50MB, and with a file size less than 150 KB
The FileCoder ransomware asks its victims for a Bitcoin ransomware.The ransom amount ranges between $94 to $188. A warning of 72 hours or three days is also provides to pay or lose access to the date.