Saturday, February 15, 2025
HomeAndroidHackers Spreading Android Ransomware via SMS to your Contacts and Encrypt your...

Hackers Spreading Android Ransomware via SMS to your Contacts and Encrypt your Device Files

Published on

SIEM as a Service

Follow Us on Google News

A new family of Android Ransomware dubbed Android/Filecoder.C distributed various online forums and further uses the victim’s contact list to SMS with a malicious link.

ESET detected the ransomware activity since July 12th, 2019, “Due to narrow targeting and flaws in both execution of the campaign and implementation of its encryption, the impact of this new ransomware is limited.”

Android Ransomware Distribution

The ransomware distributed in two methods, through online forums and SMS messages. The threat actors post or comment the ransomware download links on Reddit or XDA Developers forums.

To lure the victim’s the threat actors post the porn-related or tech-related or QR codes that bound with the malicious apps. The attackers also hide the link by using URL shorteners, the bitly shared on Reddit shows it received 59 clicks till now from different countries and link created on Jun 11, 2019.

Android Ransomware

Also, the ransomware spreads via message, if it infects one device then scans for the victim’s contact list and spreads the malicious links to all the contacts.

Device Infection

By clicking on the link in the SMS, it downloads the malicious file and the victim’s need to install the app, once installed “it displays whatever is promised in the posts distributing it, but it’s intended purpose is C&C communication, spreading malicious messages and implementing the encryption/decryption mechanism,” reads ESET report.

Android Ransomware

42 languages, C&C and Bitcoin addresses hardcoded in the ransomware, before encrypting the device it spreads the links to all the victim’s, next the ransomware access file storage to start with the encryption process.

Researchers noted that the “files can still be recovered, due to flawed encryption. Also, according to our analysis, there is nothing in the ransomware’s code to support the claim that the affected data will be lost after 72 hours.”

It encrypts the following file types

“.doc”, “.docx”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.pst”, “.ost”, “.msg”, 
“.eml”, “.vsd”, “.vsdx”, “.txt”, “.csv”, “.rtf”, “.123”, “.wks”, “.wk1”,
“.pdf”, “.dwg”, “.onetoc2”, “.snt”, “.jpeg”, “.jpg”, “.docb”, “.docm”,
“.dot”, “.dotm”, “.dotx”, “.xlsm”, “.xlsb”, “.xlw”, “.xlt”, “.xlm”,
“.xlc”, “.xltx”, “.xltm”, “.pptm”, “.pot”, “.pps”, “.ppsm”, “.ppsx”,
“.ppam”, “.potx”, “.potm”, “.edb”, “.hwp”, “.602”, “.sxi”, “.sti”,
“.sldx”, “.sldm”, “.sldm”, “.vdi”, “.vmdk”, “.vmx”, “.gpg”, “.aes”,
“.ARC”, “.PAQ”, “.bz2”, “.tbk”, “.bak”, “.tar”, “.tgz”, “.gz”, “.7z”,
“.rar”, “.zip”, “.backup”, “.iso”, “.vcd”, “.bmp”, “.png”, “.gif”,
“.raw”, “.cgm”, “.tif”, “.tiff”, “.nef”, “.psd”, “.ai”, “.svg”, “.djvu”,
“.m4u”, “.m3u”, “.mid”, “.wma”, “.flv”, “.3g2”, “.mkv”, “.3gp”,
“.mp4”, “.mov”, “.avi”, “.asf”, “.mpeg”, “.vob”, “.mpg”, “.wmv”,
“.fla”, “.swf”, “.wav”, “.mp3”, “.sh”, “.class”, “.jar”, “.java”, “.rb”,
“.asp”, “.php”, “.jsp”, “.brd”, “.sch”, “.dch”, “.dip”, “.pl”, “.vb”,
“.vbs”, “.ps1”, “.bat”, “.cmd”, “.js”, “.asm”, “.h”, “.pas”, “.cpp”,
“.c”, “.cs”, “.suo”, “.sln”, “.ldf”, “.mdf”, “.ibd”, “.myi”, “.myd”,
“.frm”, “.odb”, “.dbf”, “.db”, “.mdb”, “.accdb”, “.sql”,
“.sqlitedb”, “.sqlite3”, “.asc”, “.lay6”, “.lay”, “.mml”, “.sxm”,
“.otg”, “.odg”, “.uop”, “.std”, “.sxd”, “.otp”, “.odp”, “.wb2”,
“.slk”, “.dif”, “.stc”, “.sxc”, “.ots”, “.ods”, “.3dm”, “.max”,
“.3ds”, “.uot”, “.stw”, “.sxw”, “.ott”, “.odt”, “.pem”, “.p12”,
“.csr”, “.crt”, “.key”, “.pfx”, “.der”

This ransomware doesn’t lock the screen like other ransomware and it won’t encrypt following directories “.cache”, “tmp”, or “temp” and “.zip” or “.rar” over 50 MB and “.jpeg”, “.jpg” and “.png” file less than 150kb. Once the file encryption completed it appends .seven extension to the file and asks users to pay ransom to unlock the files.

But according to ESET researchers, the files can be decrypted without paying the ransom, ” it would be possible to decrypt files without paying the ransom by changing the encryption algorithm to a decryption algorithm. All that is needed is the UserID (see Figure 13) provided by the ransomware, and the ransomware’s APK file in case its authors change the hardcoded key value. So far, we have seen the same value in all samples of the Android/Filecoder.C ransomware.”

Android ransomware spotted almost after 2 years, the previous one that went wild was LOKIBOT which infected many victims and earned more than $1.5 Million around the world.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...