A new ransomware for mobile devices has surfaced online. The mutating and evolving digital virus targets smartphones running Google’s Android operating system. The malware attempts to gain entry through simple but cleverly disguised SMS message and then digs deep within the mobile phone’s internal system. Besides holding critical and sensitive hostage, the new worm aggressively attempts to spread to other victims through the compromised smartphone’s communication platforms. The new family of ransomware marks an important but concerning milestone in Google’s Android OS that was increasingly being considered relatively safe from targeted cyber-attacks.

Cyber-security professionals working for the popular antivirus, firewall and other digital protection tools developer ESET, discovered a new family of ransomware designed to attack Google’s Android mobile operating system. The digital Trojan horse utilizes SMS messaging to spread, noted the researchers. ESET researchers have dubbed the new malware as Android/Filecoder.C, and have observed increased activity of the same. Incidentally, the ransomware appears to be quite new, but it earmarks the end of a two-year decline in new Android malware detections. Simply put, it appears hackers appear to have renewed interest in targeting smartphone operating systems. Just today we reported on multiple “Zero Interaction” security vulnerabilities that were discovered within the Apple iPhone iOS operating system.

Filecoder Active Since July 2019 But Spreading Quickly And Aggressively Through Clever Social Engineering

According to the Slovakian antivirus and cybersecurity company, Filecoder has been observed in the wild very recently. ESET researchers claim they noticed the ransomware spread actively since July 12, 2019. Simply put, the malware appears to have surfaced less than a month ago, but its impact could be increasing every day.

The virus is particularly interesting because attacks on Google’s Android operating system have been declining steadily for about two years. This generated a general perception that Android was mostly immune to viruses or that hackers were not specifically going after smartphones, and instead, targeting desktop computers or other hardware and electronics. Smartphones are quite personal devices and hence they could be considered as limited potential targets as compared to devices used in companies and organizations. Targeting PCs or electronic devices in such large settings has several potential benefits as a compromised machine can offer a quick way of compromising several other devices. Then it is a matter of analyzing information to pick out sensitive information. Incidentally, several hacking groups appear to have pivoted to conducting large scale espionage attacks.

SECURITY ALERT: Android Ransomware FileCoder Strain Emerges: A new strain of ransomware emerged on Android #mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by… https://t.co/edFpo45qbp pic.twitter.com/9r39kxS5iB

— Aquia Solutions (@AquiaSolutions) July 30, 2019

The new ransomware, on the other hand, merely attempts to restrict the owner of the Android smartphone from accessing personal information. There’s no indication that the malware attempts to leak or steal personal or sensitive information or install other payloads like keyloggers or activity trackers to try and gain access to financial information.

How Does Filecoder Ransomware Spread On Google Android Operating System?

Researchers have discovered the Filecoder ransomware spreads through Android messaging or SMS system, but its point of origin is elsewhere. The virus appears to be launching through malicious posts in online forums including Reddit and the Android developer messaging board XDA Developers. After ESET pointed out the malicious posts, XDA Developers took swift action and took down the suspected media, but the questionable content was still up at the time of publication on Reddit.

Most of the malicious posts and comments found by ESET attempt to lure victims into downloading the malware. The virus pulls in the victim by mimicking the content that is usually associated with pornographic material. In some cases the researchers also observed some technical topics being used as baits. In most of the cases though, the attackers included links or QR codes pointing to the malicious apps.

To avoid immediate detection before being accessed, the malware’s links are masked as bit.ly links. Several such link shortening sites have been used in the past to direct unsuspecting Internet users to malicious websites, conduct phishing and other cyber-attacks.

Hackers Spreading Android Ransomware via SMS to your Contacts and Encrypt your Device Files: A new family of Android Ransomware dubbed Android/Filecoder.C distributed various online forums and further uses the victim’s contact list to SMS with a… https://t.co/ddqwtfswl5 pic.twitter.com/6PJjmNyZKB

— Shah Sheikh (@shah_sheikh) July 30, 2019

Once the Filecoder ransomware has firmly planted itself within the victim’s Android mobile device, it does not immediately begin locking down the user’s information. Instead, the malware first raids the Android system’s contacts. Researchers observed some interesting but disturbingly aggressive behavior of the Filecoder ransomware. Essentially, the malware swiftly but thoroughly sifts through the victim’s contact list to spread itself.

The malware attempts to send a carefully worded auto-generated text message to every entry within the Android mobile device’s contact list. To boost the chances of potential victims clicking and downloading the ransomware the Filecoder virus deploys an interesting trick. The link contained within the tainted text message is advertised as an app. More importantly, the malware ensures the message contains the profile photo of the potential victim. Moreover, the photo is carefully positioned to fit inside an app the victim is already using. In reality, it is a malicious fake app harboring the ransomware.

Even more concerning is the fact the Filecoder ransomware is coded to be multilingual. In other words, depending on the infected device’s language setting, the messages can be sent in one of 42 possible language versions. The malware also inserts the contact’s name within the message automatically, to boost perceived authenticity.

How Does The Filecoder Ransomware Infect And Work?

The links that the malware has generated usually contains an app that attempts to lure victims. The real purpose of the fake app is discreetly running in the background. This app contains hardcoded command-and-control (C2) settings, as well as Bitcoin wallet addresses, within its source code. The attackers have also used popular online note sharing platform Pastebin, but it only serves as a conduit for dynamic retrieval and possibly further infection points.

After the Filecoder ransomware has successfully sent the tainted SMS in batches and completed the task, it then scans the infected device to find all storage files and encrypts majority of them. ESET researchers have discovered the malware will encrypt all types of file extensions that are commonly used for text files, images, videos, etc. But for some reason, it leaves Android-specific files such as .apk or .dex. The malware also does not touch compressed .Zip and .RAR files, and files that are over 50 MB. The researchers suspect, the malware creators might have done a poor copy-paste job of lifting content from WannaCry, a far more severe and prolific form of ransomware. All the encrypted files are appended with the extension “.seven”

Researchers discover Android/Filecoder.C, a new Android ransomware family which attempts to spread to victims’ contacts and deploys some unusual tricks https://t.co/5iCvkVbAND @welivesecurity @ESET #ransomware #Android pic.twitter.com/d150eY4N7X

— David Bisson (@DMBisson) July 30, 2019

After successfully encrypting the files on the Android mobile device, the ransomware then flashes a typical ransom note containing demands. Researchers have noticed the Filecoder ransomware makes demands ranging from approximately $98 to $188 in cryptocurrency. To create a sense of urgency, the malware also has a simple timer that lasts for about 3 days or 72 hours. The ransom note also mentions how many files it is holding hostage.

Interestingly, ransomware does not lock the device screen or prevent a smartphone from being used. In other words, victims can still use their Android smartphone, but will not have access to their data. Moreover, even if the victims somehow uninstall the malicious or suspected app, it does not undo the changes or decrypt the files. Filecoder generates a public and private key pair when encrypting a device’s contents. The public key is encrypted with a powerful RSA-1024 algorithm and a hardcoded value which is sent to the creators. After the victim pays through the provided Bitcoin details, the attacker can decrypt the private key and release it to the victim.

Filecoder Not Only Aggressive But Also Complex To Get Away:

ESET researchers had earlier reported that hardcoded key value could be used to decrypt files without paying the blackmail fee by “changing the encryption algorithm to a decryption algorithm.” In short, the researchers felt the creators of the Filecoder ransomware had inadvertently left behind a rather simple method to create a decrypter.

“Due to narrow targeting and flaws in both execution of the campaign and implementation of its encryption, the impact of this new ransomware is limited. However, if the developers fix the flaws and the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat.”

The researchers have updated their post about the Filecoder ransomware and clarified that “this ‘hardcoded key’ is an RSA-1024 public key, which can’t be easily broken, hence creating a decryptor for this particular ransomware is close to impossible.”

Strangely, the researchers also observed there is nothing in the ransomware’s code to support the claim that the affected data will be lost after the countdown timer ends. Moreover, the creators of the malware appear to be playing with the ransom amount. While the 0.01 Bitcoin or BTC remains standard, the subsequent numbers appear to be the user ID generated by the malware. Researchers suspect this method could serve as an authentication factor to match the incoming payments with the victim to generate and dispatch the decryption key.