A new family of Android ransomware has emerged, according to researchers at ESET.

In a post the researchers stated that the new Android ransomware had been discovered being distributed across various online forums, including Reddit.

Lukas Stefanko, ESET malware researcher explained in a blog post that the ransomware is being spread further via SMS, by using victims’ contact lists.

“Android/Filecoder.C has been active since at least July 12th, 2019. Within the campaign we discovered, Android/Filecoder.C has been distributed via malicious posts on Reddit and the “XDA Developers” forum, a forum for Android developers,” Stefanko continued.

Once the ransomware sends out the malicious SMSes with the links, it encrypts the majority of user files on the device, and requests a ransom.

Researchers discovered the malicious campaign on posts that were porn-related, however some were found on posts that were tech-related. In all comments or posts, QR codes and links had been included.

“To maximize its reach, the ransomware has the 42 language versions of the message template seen in Figure 5. Before sending the messages, it chooses the version that fits the victim device’s language setting. To personalize these messages, the malware prepends the contact’s name to them,” Stefanko added.

Stefanko continued to explain that once a victim receives an SMS message with a link to the malicious application, the victims will have to install it manually. Once the app is launched, “it displays whatever is promised in the posts distributing it”.

“The malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free Pastebin service.”

If the victim removes the app, the ransomware cannot decrypt the files, as stated in the ransom note. Additionally, according to the researcher’s analysis, there is nothing in the ransomware code to support the claim that the affected data will be lost in 72 hours.

XDA Developers and Reddit have been alerted about the malicious activity. The posts on the XDA Developers forum were “removed swiftly”, and the posts on Reddit was still up at the time of publication.

The ransom is $94-$188.

It is has been advised that Android users to stick with Google Play or other reputable app stores, as well as keeping devices up to date.


GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/


comments powered by Disqus