Mobile Ransomware Targets Android Users Through SMSFilecoder.C Can Infect Multiple Contacts With Malicious Links
A newly discovered mobile ransomware strain called Filecoder.C is targeting Android devices through malicious links in online forums and then spreading via contact lists through SMS messages that attempt to entice others to install an app, according to research published Monday by the security firm ESET.
See Also: How to Defend Your Attack Surface
So far, Filecoder.C is not widespread because of its limited targeting of users and poor design flow, according to the ESET researchers. But that could change if the attackers behind it began to target a much broader set of victims.
The malware strain was discovered earlier this month when some Android users began contacting ESET to report a malicious link within their devices, ESET explains in a blog.
The downloadable payload has been active since about July 12. It was initially spread to smartphone users through online forums such as Reddit and XDA Developers, where it lured the users to install an app to gain access to pornographic content, says Lukas Stefanko, a security researcher at ESET.
In his blog post, Stefanko notes that when contacted by ESET, the XDA Developers forum, which is used by Android developers, took down the malicious link. The malicious link found within the Reddit forum, however, remains active.
Once the malicious link is clicked on and the ransomware gains access to the Android device, FildCoder.C encrypts the majority of systems files within the smartphone. Next, the attackers demand a ransom $98 to $188 in bitcoins, ESET reports.
It's not clear how widespread this ransomware attack is or where the malware originated. ESET determined that attacks using FildCoder.C have only generated about 59 clicks across the world, with the majority of victims in China or the U.S.
Once the victims have installed the app, pornographic content is shown, while in the background the ransomware, which has access to the contact list, sends SMS messages to stored contacts on the infected mobile device, ESET notes. The malware has been designed to carry out the large-scale attacks, it adds.
In addition to sending SMS links, the attackers also add QR codes to direct the contacts to the malicious app, the researcher note.
"To maximize its reach, the ransomware has 42 language versions of the message template," Stefanko says. "Before sending the messages, it chooses the version that fits the victim device's language setting. To personalize these messages, the malware prepends the contact's name to them."
After gaining access to the victims' storage files, the malware encrypts a variety of file types, including text and image files, but researchers found it skips Android-specific files. This led researchers to believe that the creators may have used some source code from previous ransomware attacks, including WannaCry.
"The list of file types contains some entries unrelated to Android and at the same time lacks some typical Android extensions such as .apk, .dex and .so. Apparently, the list has been copied from the notorious WannaCryptor aka WannaCry ransomware," EST points out.
While earlier ESET research suggested that decrypting files was possible by tweaking the encryption algorithm, the security firm later clarified that the decryption of the hard code would be impossible because it's built on an RSA-1024 public key.
"This 'hardcoded key' is an RSA-1024 public key, which can't be easily broken, hence creating a decryptor for this particular ransomware is close to impossible," the ESET blog states.
Rising Threat to Android
Owing to their rise in popularity, Android-based devices have become an attractive target for threat actors, who depend on mechanisms such as fake apps and other sophisticated tools to steal sensitive credentials from billions of users, security researchers say.
About 2.5 billion devices run Android, Stephanie Cuthbertson, Android's senior director, told a Google developer conference earlier this year.
With so many Android smartphones in use, the amount of cybercrime activity targeting these devices has gone up significantly, according to various reports.
For example, in a study conducted by G Data, researchers found almost 3.2 million new Android malware samples during the third quarter of 2018, which translates into discovering 11,700 new malware samples each day.
In January, Google dropped two apps from its Play Store that were linked to banking malware called Anubis, according to researchers from Trend Micro who analyzed the phishing campaign.
The apps - Currency Converter and BatterySaverMobi - used advanced techniques to evade security filters, according to Trend Micro. The BatterySaverMobi app had more than 5,000 downloads with a user rating of 4.5 stars.
By disguising itself within both of these apps, the malware was able to prompt the users to grant accessibility rights, helping attackers to steal account information, Trend Micro says.