Ransomware on Android! FileCoder.C

[Guest]

Android ransomware is back

 

Quote

ESET researchers discover a new Android ransomware family that attempts to spread to victims’ contacts and deploys some unusual tricks

 

Share

UPDATE (July 30th, 2019): Due to rushing with the publication of this research – in order to warn about this threat as soon as possible – we erroneously stated that “because of the hardcoded key value that is used to encrypt the private key, it would be possible to decrypt files without paying the ransom by changing the encryption algorithm to a decryption algorithm”. However, this “hardcoded key” is an RSA-1024 public key, which can’t be easily broken, hence creating a decryptor for this particular ransomware is close to impossible. Hat tip goes to Alexey Vishnyakov from Positive Technologies who drew our attention to this inaccuracy.

After two years of decline in Android ransomware, a new family has emerged. We have seen the ransomware, detected by ESET Mobile Security as Android/Filecoder.C, distributed via various online forums. Using victims’ contact lists, it spreads further via SMS with malicious links. Due to narrow targeting and flaws in execution of the campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat.

Android/Filecoder.C has been active since at least July 12^th, 2019. Within the campaign we discovered, Android/Filecoder.C has been distributed via malicious posts on Reddit and the “XDA Developers” forum, a forum for Android developers. We reported the malicious activity to XDA Developers and Reddit. The posts on the XDA Developers forum were removed swiftly; the malicious Reddit profile was still up at the time of publication.

Android/Filecoder.C spreads further via SMS with malicious links, which are sent to all contacts in the victim’s contact list.

After the ransomware sends out this batch of malicious SMSes, it encrypts most user files on the device and requests a ransom.

Users with ESET Mobile Security receive a warning about the malicious link; should they ignore the warning and download the app, the security solution will block it.

...

Well... Porn users... " Don't forget the love glove! " 

[rcmaehl]

Phone malware have always either prevented you from using them requesting payment from those less technical (FBI has detected porn/illegal activity/drugs on your device, pay X BTC now or be arrested) or stole data. This is just previous malware with extra steps.

 

Perhaps this increase in Ransonware has been brought on by the fact that SEVERAL LARGE COMPANIES are now advising users how to bypass the Google Play store so that those companies can make more money by preventing Google from taking a cut. Perhaps sideloading should be limited to adb only.

[BuckGup]

INB4 flamewar about how iPhones have never gotten ransomware 

[spartaman64]

1 minute ago, BuckGup said:

INB4 flamewar about how iPhones have never gotten ransomware 

iphones has built in ransomware Kappa

[rcmaehl]

1 hour ago, BuckGup said:

INB4 flamewar about how iPhones have never gotten ransomware 

You know what superior phone has never gotten ransonware?

Blackberry

[dfsdfgfkjsefoiqzemnd]

19 minutes ago, rcmaehl said:

You know what superior phone has never gotten ransonware?

Nokia 3310

FTFY

[Curious Pineapple]

2 hours ago, BuckGup said:

INB4 flamewar about how iPhones have never gotten ransomware 

INB4 thread locked

[williamcll]

3 hours ago, spartaman64 said:

iphones has built in ransomware Kappa

That's hard to believe. 

[HarryNyquist]

4 hours ago, rcmaehl said:

Perhaps this increase in Ransonware has been brought on by the fact that SEVERAL LARGE COMPANIES are now advising users how to bypass the Google Play store so that those companies can make more money by preventing Google from taking a cut. Perhaps sideloading should be limited to adb only.

I still say that Android sideloading will become just like Android rooting or Android bootloader-unlocking in the near future. Go ahead and do it but lose official access to the Play Store, Google Pay, etc, because of "security risks." Of course, the real reason will be to get more revenue thru the Play Store, but they won't say that...

[Flying Sausages]

Please don't encrypt all my memes stored on my phone

 

 

[strajk-]

I welcome this with open arms, Google doesn't want to add Encryption to Google Keep notes, so I'll let a malware do it for me.

[suicidalfranco]

6 hours ago, BuckGup said:

INB4 flamewar about how iPhones have never gotten ransomware @DrMacintosh

fify

[TetraSky]

8 hours ago, Cora_Lie said:

Android/Filecoder.C spreads further via SMS with malicious links, which are sent to all contacts in the victim’s contact list.

And that's why I never open up a link from anyone on SMS without first looking up the domain on my PC.

Recently I got a spam/scam message from "rogers" telling me I had a refund waiting for me and had to go to rogersserv.com ... yeah right. Not only did I never have a phone with Rogers, that domain is literally 1 day old... Really have to wonder what happens if I go on that website, though.

[Guest]

5 minutes ago, TetraSky said:

And that's why I never open up a link for anyone on SMS without first looking up the domain on my PC.

Recently I got a spam/scam message from "rogers" telling me I had a refund waiting for me and had to go to rogersserv.com ... yeah right. Not only did I never have a phone with Rogers, that domain is literally 1 day old... Really have to wonder what happens if I go on that website.

To me that's exactly the same as getting a mail from Wish telling me I need to clic on the link to get a refund of my latest purchase from their website, knowing that I NE-VER ordered in my all life from Wish!

As if I'd clic like that on a link which is not even pointing on the official Wish website...

Same old, same old...

[Salv8 (sam)]

9 hours ago, rcmaehl said:

Perhaps sideloading should be limited to adb only.

by default sideloading is disabled and tells the user

IO CUNT, YOU CAN FUCKEN GET INFECTED IF YOU DOWNLOAD STUPID SHIT!

in fact some even go a step futher and only enable it for a short period of time (although this can be disabled if the user requires it)

plus the causes another issue

companys that side load their own in-house apps to their devices, since many just copy the apk to the device and get it over and done with, this adds extra steps in order to get a device prepped for an employee, which is something companys don't like, wasting more time that could be used working on their business goals. (business speak producing products and services)

plus a lot of devs do the same and just copy the apk to the device while developing apps as it's easier then adb since adb can be a pain to work with when developing apps

[rcmaehl]

24 minutes ago, Salv8 (sam) said:

by default sideloading is disabled and tells the user

 IO CUNT, YOU CAN FUCKEN GET INFECTED IF YOU DOWNLOAD STUPID SHIT!

As it should be. I really think bypassing Google Play protection on the device itself should be removed.

[Salv8 (sam)]

6 hours ago, rcmaehl said:

As it should be. I really think bypassing Google Play protection on the device itself should be removed.

play protection goes nuts every time you install something not from the play store

i once sideloaded an app when play protection was new and i didn't know about it, it started saying that my phone might be unsafe since i installed an app not from the play store! OH NOOES!!!!

1. it is on the play store

2. i downloaded it directly from the devs website so i know it's safe

3. play protection could of just looked up the apps com.dev.appname on the play store to check and see if it's on there (which it does now after some people complained about that)

 

play protection is googles way of ensuring that the average consumer stays with the play store and doesn't install a third party app store as it will start going off the sec you install it making the consumer think "oh no. this app is unsafe, i must uninstall it!"

if it was just a basic anti-virus this would be fine, if it just looked at what apps are doing and what their code contains this would be a great addition to the play store to keep consumers safe.

but it doesn't, all it does is check and see if the app isn't on the play store and tries to get the user to remove it

in fact play protection itself should be removed cause its just not a good thing for android, android itself has enough issues currently and doesn't need more.

[silberdrachi]

Doesnt everyone have some sort of sync and backup for contacts and photos? I get ransomware on computers because very few people have backups (offline or cloud) but phones seems kind of silly. If i get hit by this, i spend an hour resetting my phone and sync everything back.

[vanished]

I suppose we should all be happy for this but it seems like a huge missed opportunity.  Ransomware works on a computer because that's where you keep all your files.  A phone is just a "client" device - everything on it is either a copy of the master that's on your PC, or new content from it that's also automatically synced to the cloud, so there's really nothing to lose.  Not to give them tips but they should have gone after all the sensitive data that tends to be on phones - personal info, maybe browsing history, etc. - stealing that would be far more effective than holding data ransom.

[Noctus]

9 hours ago, Ryan_Vickers said:

I suppose we should all be happy for this but it seems like a huge missed opportunity.  Ransomware works on a computer because that's where you keep all your files.  A phone is just a "client" device - everything on it is either a copy of the master that's on your PC, or new content from it that's also automatically synced to the cloud, so there's really nothing to lose.  Not to give them tips but they should have gone after all the sensitive data that tends to be on phones - personal info, maybe browsing history, etc. - stealing that would be far more effective than holding data ransom.

So you're wanting ransomware ? okay then.

[vanished]

3 minutes ago, Noctus said:

So you're wanting ransomware ? okay then.

No, I'm saying ransomware on a phone as a concept is stupid because it's not going to be effective and there's much worse things they could do, and I suppose we should be happy that they didn't

[dfsdfgfkjsefoiqzemnd]

10 hours ago, Ryan_Vickers said:

Ransomware works on a computer because that's where you keep all your files.  A phone is just a "client" device - everything on it is either a copy of the master that's on your PC, or new content from it that's also automatically synced to the cloud, so there's really nothing to lose.

For most people on here, yes.  However a lot of people use their phone as their primary device for storing important notes etc, and a lot of them don't sync everything.  For those people ransomware is a real problem. 

 

[Zodiark1593]

On 8/2/2019 at 8:17 AM, rcmaehl said:

Phone malware have always either prevented you from using them requesting payment from those less technical (FBI has detected porn/illegal activity/drugs on your device, pay X BTC now or be arrested) or stole data. This is just previous malware with extra steps.

 

Perhaps sideloading should be limited to adb only.

Goodness no! I would like to not require another device and command line to be able to install (sideload really os a silly term here) applications outside the Play Store.

[tech.guru]

On 8/4/2019 at 12:36 AM, Ryan_Vickers said:

No, I'm saying ransomware on a phone as a concept is stupid because it's not going to be effective and there's much worse things they could do, and I suppose we should be happy that they didn't

ransomware tends to get more sophisticated with time.

I can foresee this turning into a blackmail scam, if this turns out to be a greater trend as some peoples phones have very sensitive data. 

 

the problem will be very few people side load apps on android, being able to trick a user to agree to all of andriods warning for installing untrusted applications would require significant social engineering.

 

its more likely to sneak code in one of the applications on app store. a lot of applications are malicious there and yet to be flagged

 

[vanished]

7 minutes ago, tech.guru said:

ransomware tends to get more sophisticated with time.

I can foresee this turning into a blackmail scam, if this turns out to be a greater trend as some peoples phones have very sensitive data.

 

Yeah that would make a lot more sense and pose a greater risk.  Hopefully that doesn't happen but I think that might already have been tried before