What Is It?

Following a long period of decline, a new variant of Android ransomware imaginatively dubbed Filecoder.C, has been discovered by researchers at ESET. The ransomware has been in the wild since mid-July.

The attackers attempt to social engineer users by creating threads or posts on Reddit and the XDA Developers forum containing links or QR codes for their malicious Android application. The XDA Developers forum is used by developers of Android applications, which seems an odd choice, given that this group might be more wary of downloading Android applications than the average individual.

Once infected with FileCoder.C, the user’s device sends text messages to all contacts, attempting to socially engineer them to click on the included malicious link. The messages follow the format of “[Contact’s First Name], How can they put your photos in this app, I think I need to tell you, [malicious link]”. The text of the message is available in 42 languages and the language the device is set to is used to select which language the messages will be sent.

Filecoder.C uses RSA encryption and is cryptographically secure. There are 179 file extensions it will encrypt, although it will ignore directories with names containing “.cache”, “tmp” and “temp”. Additionally, likely for performance reasons, it will not encrypt image files less that 150KB or Zip and RAR files greater than 50MB. It appears that the list of file extensions to encrypt has been taken from WannaCry ransomware samples. Therefore, the list includes filetypes not used by Android and excludes specific Android extensions such as apx and dex. The list of targeted file extensions will likely evolve should there be further variants released. Encrypted files have “.seven” appended to the end of their filename.

The ransom note threatens that data will be lost after 72 hours. However, ESET researchers found no indication of this functionality in the code of the malware.

How Does It Propagate?

Initially spread by links in malicious posts to Reddit and an Android developer’s forum, it also spreads by sending text messages containing malicious links to all of the contacts stored on an infected Android device. The attackers utilize social engineering techniques to attempt to convince users to install the malicious Android application.

When/How Did BluVector Detect It?

Two Filecoder.C samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected 61 months prior to their release.

Note: BluVector would only detect the malware if the Android device was connected to a corporate network monitored by BluVector.