Filecoder ransomware spreads via SMS and disguises itself as a porn game

[Brother]

ESET specialists spoke about the new Android malware Android / Filecoder.C (hereinafter simply Filecoder), which in July 2019 was distributed via SMS messages, as well as QR codes in subsections about pornography on Reddit and the XDA Developers forum (under the guise of free online game, which is a sex simulator). The ransomware currently attacks devices running Android 5.1 or later.

Researchers note that the XDA administration removed malicious messages after complaints, but the links to Reddit were still working when ESET analysts published their report.

To hide suspicious addresses, cybercriminals use the service for creating short links bit.ly. Such QR codes distribute malicious APK files, ie infected applications that request the following permissions:
• android.permission.SET_WALLPAPER
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.READ_EXTERNAL_STORAGE
• android.permission.READ_CONTACTS
• android.permission.RECEIVE_BOOT_COMPLETED
• android.permission.SEND_SMS
• android.permission.INTERNET

Once installed on the device, the malicious application sends text messages to the victim's entire contact list, prompting recipients to click on the link and download the malware too (in the messages, the attackers claim that the victim's photos were added to some porn application) ...

Fraudulent messages are written in 42 languages, but an attentive user may suspect something was wrong: the translations are not of high quality, and SMS is often a meaningless set of words.

As a result of the infection, files on the victim's device are encrypted. But the list of encryption extensions recognized by the program looks unusual - it includes file types that have nothing to do with the Android OS. In addition, the ransomware leaves certain files unencrypted: if their extension is .zip or .rar, the file size exceeds 51200 Kb / 50 Mb, and .jpeg, .jpg and .png files are less than 150 Kb.

“It looks like the list of encryption extensions was copied from the list that was used in the famous WannaCry campaign,” said ESET expert Lucas Stefanko.

After that, the user receives a notification about the need to pay the ransom in bitcoins, otherwise all files will allegedly be erased after 72 hours. However, ESET analysts did not find any commands to delete files after a limited time in the ransomware code.

Interestingly, unlike most other Android ransomware, Filecoder will not block the victim's screen and allow them to continue using the device. It is also noteworthy that each victim is assigned a unique ransom amount in the range of 0.01-0.02 bitcoin (from 6,000 to 12,000 rubles).

“The unique ransom amount is an innovation, we have never seen such a model of extortion from Android users,” Stefanko writes. - In general, the detected campaign looks unprofessional. However, if the distribution is improved, this ransomware could become a serious threat."