ESET researchers discover a new Android ransomware family that attempts to spread to victims’ contacts and deploys some unusual tricks.
After two years of decline in Android ransomware, a new family has emerged. We have seen the ransomware, detected by ESET Mobile Security as Android/Filecoder.C, distributed via various online forums. Using victims’ contact lists, it spreads further via SMS with malicious links. Due to narrow targeting and flaws in both execution of the campaign and implementation of its encryption, the impact of this new ransomware is limited. However, if the developers fix the flaws and the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat.
Android/Filecoder.C has been active since at least July 12th, 2019. Within the campaign we discovered, Android/Filecoder.C has been distributed via malicious posts on Reddit and the “XDA Developers” forum, a forum for Android developers. We reported the malicious activity to XDA Developers and Reddit. The posts on the XDA Developers forum were removed swiftly; the malicious Reddit profile was still up at the time of publication.
Android/Filecoder.C spreads further via SMS with malicious links, which are sent to all contacts in the victim’s contact list. After the ransomware sends out this batch of malicious SMSes, it encrypts most user files on the device and requests a ransom. Due to flawed encryption, it is possible to decrypt the affected files without any assistance from the attacker.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}