Android Ransomware is Back (Jul 29, 2019)
A new type of Android ransomware has been identified by ESET Mobile Security as “Android/Filecoder.C”. The ransomware has been active since at least July 12, 2019, and is distributed using Reddit and XDA Developers, typically posting adult-related content as bait. Active since at least July 12, 2019, the ransomware sends SMS messages to the victim’s contacts with malicious links, encrypting the user files and sending a ransom. The ransomware is distributed using Reddit and XDA Developers, typically posting porn-related content as bait. With the ability to send SMS messages, the ransomware will send potential victims a links to the malicious application, a sex simulating game that is used for Command and Control (C2) communications. After encrypting the users’ files, a request for bitcoins is made; which if made, the user is sent the private key to decrypt the files.
Recommendation: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications provided by reputable vendors should be deployed on devices.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.