Aug 1 (AZINS) Security researchers have spotted a new ransomware family that is targeting Android smartphones. However, this family of ransomware malware is quite unique than the rest in the past. Unlike past ransomware malware aimed at Android, this one uses text messages to spread to other devices. 

The ransomware sends text messages with malicious links to all the contacts on the infected smartphone. According to researchers, the malware is currently aiming at Android devices running Android 5.1 Lollipop or later. The security researchers who discovered the ransomware have classified it as Android/Filecoder.C (FileCoder).

Android ransomware FileCoder details

According to a report by cybersecurity company ESET, security researchers initially spotted the ransomware injecting malware on July 12. People trying to infect smartphones of unsuspecting Android users were trying to distribute the payload through posts on XDA Developers and Reddit. The report noted that XDA Developers removed the malicious posts after they were notified about the issue. However, the threads on Reddit were still up. The report added that people behind FileCoder are using two servers to distribute the ransomware. They have linked the payload to both the text messages sent and the Reddit and XDA posts.

They have also linked QR codes so that a device can easily get access to the infected APK file. The report also revealed that the developers of the malware are disguising the ransomware app as a free sex simulator online game. A separate report by BleepingComputer revealed that the ransomware app asks for a number of permissions when installed. 

These include setting the wallpaper, writing and reading the external storage, reading contacts, internet, sending SMS, and “receive boot completed”. To ensure that the ransomware can impact as many users as possible, the malware makers have added message templates in 42 different languages. It takes the device language setting and sends appropriate message.

Some weird behaviour for a ransomware

Digging deeper, the ransomware asks its victims to submit Bitcoin and provide the bitcoin addresses. The amount of ransom ranges between $94 to $188.It also provides a warning of 72 hours or three days to paid or lose access to the date. 

However, the code of the ransomware does not indicate that it can remove any date. The IP address of the commanding server is put inside the code. However, developers can also change it to a new value with the help of “Pastebin” service.

ESET revealed that the malware first sends the SMS message to the contact list and then starts encrypting the files. It changes the extension of all the non-system files to .seven. The ransomware will leave the file encrypted if it is more than 50MB in size.

Zee Media Newsroom