New Android Ransomware Spreads Through Forum Posts and Customized Texts

Cyber extortionists have created new ransomware that encrypts files on Google Android devices. Find out how this ransomware infiltrates devices so you can avoid becoming a victim.

A new family of ransomware known as Android/Filecoder.C has been discovered. The initial infection occurs when Google Android device users download a malicious app by means of a link or quick response (QR) code in a forum post. Once on a device, the ransomware tries to spread itself by sending text messages to everyone on the victim’s contact list. Each message is customized with the recipient’s name to make the text seem more legitimate.

This ransomware could become a serious threat if the cybercriminals start targeting broader groups of users, according to security researchers. To avoid becoming a victim of this ransomware and similar variants, it helps to dissect past Android/Filecoder.C attacks to see how the ransomware infiltrated victims’ devices.

 

The Infiltration

When it comes to ransomware, looking at past attacks can help you prepare for new ones. Here is how the Android/Filecoder.C attacks in July and August 2019 were typically carried out:

To initially get the ransomware onto devices, cybercriminals posted messages in popular online forums such as Reddit and XDA Developers (a forum for mobile software developers). While most of the comments were porn-related, some dealt with technical topics.

The posted messages contained a malicious link or quick response (QR) code. In some cases, the hackers used the Bitly URL shortening service (aka “bit.ly” links) to hide the links’ real addresses. Other times, the hackers made no attempt to hide the links, which typically ended in “.apk”. Android Package Kit (APK) files are used to distribute and install mobile apps on Android devices. Cybercriminals sometimes hide malware in these files.

People who clicked the links or scanned the QR codes in the forum posts had Android apps containing Android/Filecoder.C automatically downloaded to their devices. When the victims launched the malicious apps, the apps displayed whatever was promised so the victims would not be immediately aware their devices were infected with ransomware. Nor were they aware that the ransomware was sending text messages to the people in their contact lists. The text messages tried to lure the recipients into downloading malicious apps. The messages included the recipients’ names to make them seem more legitimate.

Once the text messages were sent, the ransomware went to work encrypting more than 175 types of files and appending the file extension “.seven” to the original filenames (e.g., ProductPhoto0057.jpg.seven, QuarterlyReport.docx.seven). However, unlike some ransomware, Android/Filecoder.C did not lock the devices’ screens or prevent the devices from being used.

After the all files were encrypted, Android/Filecoder.C displayed its ransom note. The victims were instructed to pay the ransom in bitcoins. The amounts varied, usually ranging from $98 to $188 [USD]. Although the ransom note stated that the victims would lose their data if they did not pay within 72 hours, security researchers found nothing in the ransomware’s code to support that claim.

 

Be Cautious

Being cautious can go a long way in avoiding becoming a victim of Android/Filecoder.C and similar ransomware variants. For starters, you should avoid clicking links (especially if they end in “bit.ly” or “.apk”) and scanning QR codes in online forums and similar public venues. Typically, anyone can post messages — including cybercriminals — in forums. Even clicking links and scanning QR codes in a moderated forum can be risky. Forum owners might initially allow all messages to be posted, with a moderator reading them days later or only if there is a complaint.

Similarly, you should avoid clicking links in text and email messages from unknown sources. Clicking links can be risky even if a message is supposedly from someone you know. As the Android/Filecoder.C ransomware demonstrates, hackers know how to hijack text accounts. They are also skilled at hijacking email accounts. So, if a text or email message supposedly from someone you know seems odd, you might want to give the person a call to see if they sent it.

Besides being cautious about links and QR codes, you should be leery about installing apps from third-party sources on your device. It is best to install apps only from official stores like Google Play. Although a few malicious apps find their way into these stores, the risk is much greater if you download apps from third-party sources.

Even if an app is in an official store, you should research the app before downloading it. Reading the app’s reviews in the store and conducting Internet searches on the app might reveal security issues. Plus, you should find out the apps’ permissions. If they seem excessive for the types of functions performed by the app, you should avoid downloading it.

 

Be Proactive

Besides being cautious, you need to take preemptive measures to protect your device from Android/Filecoder.C. If you do not already have a mobile security solution installed on your device, it is time to get one. Mobile security solutions detect and block known types of malware, including ransomware. Some security solutions even scan apps for suspicious activity before you download them.

Another important measure is to make sure the software on your Android device is being regularly updated so that known vulnerabilities are patched. This reduces the number of exploitable entry points in your device. By default, the Android operating system and any apps you install from Google Play are automatically updated. It is a good idea, though, to make sure the updates are being installed. Plus, you need to make sure that updates for other apps are being installed.

Regularly backing up your mobile device is also important when it comes to ransomware. Although having restorable backups won’t help prevent a ransomware attack, you won’t have to pay the cyber-extortionists to get your files back if an infection occurs.

 

Android flickr photo by dungodung shared under a Creative Commons (BY-SA) license