- The malware does not encrypt files that have ‘zip’ or ‘rar’ extension.
- It also leaves the file unencrypted if its size is over 51,200 KB/50 MB and ‘.jpeg’, ‘.jpg’ and ‘.png’ files with less than 150KB.
A new Android ransomware family, dubbed Android/Filecoder.C, has been found making attempts to infect users. The malware is leveraging unusual tricks to propagate to a victim’s device.
How does it spread?
Discovered by ESET Mobile Security, the malware is distributed via various online forums. The malware has been active since at least July 12, 2019. Within a few days of its discovery, the researchers managed to extract samples of the malware from several posts shared on Reddit and the ‘XDA Developers’ forum.
These posts were created around topics that would lure common users. All of these posts included links or QR codes pointing to the malicious apps. Soon after the discovery, the malicious posts on the XDA Developers forum were removed.
To boost its propagation, Android/Filecoder.C uses the victim’s contact lists and spreads further via SMS with malicious links. This includes links to the ransomware, although they are presented as links to apps. Further to maximize the reach, the ransomware has 42 versions of the message template.
“Before sending the messages, it chooses the version that fits the victim device’s language setting. To personalize these messages, the malware prepends the contact’s name to them,” wrote the researchers.
What are its capabilities?
Once the ransomware sends out a batch of malicious SMSes, it encrypts most of the user files and requests a ransom. Android/Filecoder.C uses an asymmetric and symmetric algorithm to encrypt files. While encrypting files, the ransomware generates a new AES key for each file that will be encrypted.
The malware does not encrypt files that have ‘zip’ or ‘rar’ extension. It also leaves the file unencrypted if its size is over 51,200 KB/50 MB and ‘.jpeg’, ‘.jpg’ and ‘.png’ files with less than 150KB.