New Android Ransomware in Forum Posts and Customized Texts

Cyber extortionists have created new ransomware that encrypts files on Google Android devices. Learn how this ransomware infiltrates devices so you can avoid becoming a victim.

This new family of ransomware is known as Android/Filecoder.C. The initial infection occurs when Google Android device users download a malicious app by means of a link or quick response (QR) code in a forum post. Once on a device, the ransomware tries to spread itself by sending text messages to everyone in the victim’s contact list. Each message is customized with the recipient’s name to make the text look more legitimate.

This ransomware could become a serious threat if the cybercriminals start targeting broader groups of users, according to security researchers. To avoid becoming a victim of this ransomware and similar variants, lets dissect past Android/Filecoder.C attacks to see how the ransomware infiltrated victims’ devices.

The Infiltration

When it comes to ransomware, looking at past attacks helps prepare you for new ones. This is how the Android/Filecoder.C attacks in the summer of 2019 were typically carried out:

To initially get the ransomware onto devices, cybercriminals posted messages in popular online forums such as Reddit and XDA Developers (a forum for mobile software developers).  Posted messages contained a malicious link or quick response (QR) code. In some cases, the hackers used the Bitly URL shortening service (aka “bit.ly” links) to hide the links’ real addresses. Other times, the hackers made no attempt to hide the links, which typically ended in “.apk”. Android Package Kit (APK) files are used to distribute and install mobile apps on Android devices. Cybercriminals sometimes hide malware in these files.

People who clicked the links or scanned the QR codes in the forum posts had Android apps containing Android/Filecoder.C automatically downloaded to their devices. When the victims launched the malicious apps, the apps displayed whatever was promised so the victims would not be immediately aware their devices were infected with ransomware. Nor were they aware that the ransomware was sending text messages to the people in their contact lists. The text messages tried to lure the recipients into downloading malicious apps. The messages included the recipients’ names to make them seem more legitimate.  Once the text messages were sent, the ransomware went to work encrypting more than 175 types of files and appending the file extension “.seven” to the original filenames (e.g., ProductPhoto0057.jpg.seven, QuarterlyReport.docx.seven). However, unlike some ransomware, Android/Filecoder.C did not lock the devices’ screens or prevent the devices from being used.  Once all files were encrypted, Android/Filecoder.C displayed its ransom note. The victims were instructed to   pay the ransom in bitcoins. The amounts varied, usually ranging from $98 to $188 [USD]. Although the ransom note stated that the victims would lose their data if they did not pay within 72 hours, security researchers found nothing in the ransomware’s code to support that claim.

Be Cautious

Avoid clicking links (especially if they end in “bit.ly” or “.apk”) and scanning QR codes in online or moderated forums and similar public venues.  Avoid clicking links in text and email messages from unknown sources. Hackers know how to hijack text accounts and are also skilled at hijacking email accounts. So, if a text or email message supposedly from someone you know seems odd, you might want to give the person a call to see if they sent it.

Also ONLY install apps from official stores like Google Play. Although a few malicious apps find their way into these stores, the risk is much greater if you download apps from third-party sources.  Even if an app is in an official store, you should research the app before downloading it. Reading the app’s reviews in the store and conducting Internet searches on the app might reveal security issues. Plus, you should find out the apps’ permissions. If they seem excessive for the types of functions performed by the app, you should avoid downloading it.

Be Proactive

Besides being cautious, you need to take preemptive measures to protect your device from Android/Filecoder.C. Make sure you have a mobile security solution installed on your device. This will  detect and block known types of malware, including ransomware, some security solutions scan apps for suspicious activity before you download them.

Make sure the software on your Android device is regularly updated so that known vulnerabilities are patched. By default, the Android operating system and any apps you install from Google Play are automatically updated. Check to make sure updates are being installed.

Regularly back up your mobile device. Although having restorable backups won’t help prevent a ransomware attack, you won’t have to pay the cyber-extortionists to get your files back if an infection occurs.

Want to find out additional ways to protect your business?  At CopperTree Solutions we can help get you started with IT planning items to consider and how IT Services can assist.

CopperTree Solutions serves clients both large and small, in Kitchener, Waterloo, Cambridge, Guelph, Stratford, and around South Western Ontario.

Call 519-804-2461 or Colin.Shantz@ctsol.ca

I want to get started on an IT solution for my business!