Monday, May 19, 2025
HomeAndroidHackers Spreading Android Ransomware via SMS to your Contacts and Encrypt your...

Hackers Spreading Android Ransomware via SMS to your Contacts and Encrypt your Device Files

Published on

SIEM as a Service

Follow Us on Google News

A new family of Android Ransomware dubbed Android/Filecoder.C distributed various online forums and further uses the victim’s contact list to SMS with a malicious link.

ESET detected the ransomware activity since July 12th, 2019, “Due to narrow targeting and flaws in both execution of the campaign and implementation of its encryption, the impact of this new ransomware is limited.”

Android Ransomware Distribution

The ransomware distributed in two methods, through online forums and SMS messages. The threat actors post or comment the ransomware download links on Reddit or XDA Developers forums.

- Advertisement - Google News

To lure the victim’s the threat actors post the porn-related or tech-related or QR codes that bound with the malicious apps. The attackers also hide the link by using URL shorteners, the bitly shared on Reddit shows it received 59 clicks till now from different countries and link created on Jun 11, 2019.

Android Ransomware

Also, the ransomware spreads via message, if it infects one device then scans for the victim’s contact list and spreads the malicious links to all the contacts.

Device Infection

By clicking on the link in the SMS, it downloads the malicious file and the victim’s need to install the app, once installed “it displays whatever is promised in the posts distributing it, but it’s intended purpose is C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism,” reads ESET report.

Android Ransomware

42 languages, C&C and Bitcoin addresses hardcoded in the ransomware, before encrypting the device it spreads the links to all the victim’s, next the ransomware access file storage to start with the encryption process.

Researchers noted that the “files can still be recovered, due to flawed encryption. Also, according to our analysis, there is nothing in the ransomware’s code to support the claim that the affected data will be lost after 72 hours.”

It encrypts the following file types

“.doc”, “.docx”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.pst”, “.ost”, “.msg”, 
“.eml”, “.vsd”, “.vsdx”, “.txt”, “.csv”, “.rtf”, “.123”, “.wks”, “.wk1”,
“.pdf”, “.dwg”, “.onetoc2”, “.snt”, “.jpeg”, “.jpg”, “.docb”, “.docm”,
“.dot”, “.dotm”, “.dotx”, “.xlsm”, “.xlsb”, “.xlw”, “.xlt”, “.xlm”,
“.xlc”, “.xltx”, “.xltm”, “.pptm”, “.pot”, “.pps”, “.ppsm”, “.ppsx”,
“.ppam”, “.potx”, “.potm”, “.edb”, “.hwp”, “.602”, “.sxi”, “.sti”,
“.sldx”, “.sldm”, “.sldm”, “.vdi”, “.vmdk”, “.vmx”, “.gpg”, “.aes”,
“.ARC”, “.PAQ”, “.bz2”, “.tbk”, “.bak”, “.tar”, “.tgz”, “.gz”, “.7z”,
“.rar”, “.zip”, “.backup”, “.iso”, “.vcd”, “.bmp”, “.png”, “.gif”,
“.raw”, “.cgm”, “.tif”, “.tiff”, “.nef”, “.psd”, “.ai”, “.svg”, “.djvu”,
“.m4u”, “.m3u”, “.mid”, “.wma”, “.flv”, “.3g2”, “.mkv”, “.3gp”,
“.mp4”, “.mov”, “.avi”, “.asf”, “.mpeg”, “.vob”, “.mpg”, “.wmv”,
“.fla”, “.swf”, “.wav”, “.mp3”, “.sh”, “.class”, “.jar”, “.java”, “.rb”,
“.asp”, “.php”, “.jsp”, “.brd”, “.sch”, “.dch”, “.dip”, “.pl”, “.vb”,
“.vbs”, “.ps1”, “.bat”, “.cmd”, “.js”, “.asm”, “.h”, “.pas”, “.cpp”,
“.c”, “.cs”, “.suo”, “.sln”, “.ldf”, “.mdf”, “.ibd”, “.myi”, “.myd”,
“.frm”, “.odb”, “.dbf”, “.db”, “.mdb”, “.accdb”, “.sql”,
“.sqlitedb”, “.sqlite3”, “.asc”, “.lay6”, “.lay”, “.mml”, “.sxm”,
“.otg”, “.odg”, “.uop”, “.std”, “.sxd”, “.otp”, “.odp”, “.wb2”,
“.slk”, “.dif”, “.stc”, “.sxc”, “.ots”, “.ods”, “.3dm”, “.max”,
“.3ds”, “.uot”, “.stw”, “.sxw”, “.ott”, “.odt”, “.pem”, “.p12”,
“.csr”, “.crt”, “.key”, “.pfx”, “.der”

This ransomware doesn’t lock the screen like other ransomware and it won’t encrypt following directories “.cache”, “tmp”, or “temp” and “.zip” or “.rar” over 50 MB and “.jpeg”, “.jpg” and “.png” file less than 150kb. Once the file encryption completed it appends .seven extension to the file and asks users to pay ransom to unlock the files.

But according to ESET researchers, the files can be decrypted without paying the ransom, ” it would be possible to decrypt files without paying the ransom by changing the encryption algorithm to a decryption algorithm. All that is needed is the UserID (see Figure 13) provided by the ransomware, and the ransomware’s APK file in case its authors change the hardcoded key value. So far, we have seen the same value in all samples of the Android/Filecoder.C ransomware.”

Android ransomware spotted almost after 2 years, the previous one that went wild was LOKIBOT which infected many victims and earned more than $1.5 Million around the world.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

New Phishing Attack Poses as Zoom Meeting Invites to Steal Login Credentials

A newly identified phishing campaign is targeting unsuspecting users by masquerading as urgent Zoom...

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a...

Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in...

Cache Timing Techniques Used to Bypass Windows 11 KASLR and Reveal Kernel Base

Cache timing side-channel attacks have been used to circumvent Kernel Address Space Layout Randomization...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Phishing Attack Poses as Zoom Meeting Invites to Steal Login Credentials

A newly identified phishing campaign is targeting unsuspecting users by masquerading as urgent Zoom...

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a...

Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in...