Eset discovered a new Android-encoder ransomware program that aims users of Android devices in Reddit porn groups.
Attackers distributed malicious links and QR codes in Reddit’s pornography sections, as well as on the XDA Developers — Android Developers Forum.To hide a suspicious address, was used the bit.ly portal – a service for creating short links. After downloading, the malicious application sends text messages throughout the victim’s contact list, pushing recipients to click on the link and download the malicious program.
Messages are compiled in 42 languages, but an attentive user will suspect something is wrong – the translations are ity, and SMS often represent a meaningless set of words.
ESET found Android-encoder ransomware in Reddit porn groups
After installing the malicious application, the files on the victim’s device are encrypted, and the user receives a notification about the need to pay a ransom, otherwise all files will supposedly be deleted after 72 hours.
However, Eset experts did not find in the ransomware code commands to delete files after any limited time.
Read also: Encrypting malware attacks NAS Synology and Lenovo Iomega
It is worth noting that file encryption is relatively unprofessional. Firstly, the program does not encrypt large archive files (over 50 Mb) and small images (up to 150 Kb). Secondly, the list of extensions recognized by the program for encryption looks unusual – it includes file types that are in no way associated with the Android OS.
“It seems that the list of encryption extensions has been copied from the list used in the well-known WannaCry campaign”, — said Eset expert Lukas Štefanko.
It is noteworthy that each victim of the encoder is assigned a unique ransom amount in the range of 0.01-0.02 bitcoin (from 100 to 200 dollars)
“The unique ransom amount is an innovation – we have never seen a similar model of extortion from Android users,” said Lukas Štefanko. – In general, the detected campaign looks unprofessional. However, if the distribution is improved, this ransomware can become a serious threat. ”
At the time of publication, user profiles distributing Android/Filecoder.C on the XDA Developers forum have been deleted. However, malicious links to Reddit are still available.
How to stay safe 😉
This discovery shows that ransomware still poses a threat to Android mobile devices. To stay safe, users should stick to basic security principles:
- Keep your devices up to date, ideally set them to patch and update automatically so that you stay protected.
- If possible, stick with Google Play or other reputable app stores. These markets may not be completely free from malicious apps, but you have a fair chance of avoiding them.
- Prior to installing any app, check its ratings and reviews. Focus on the negative ones as they often come from legitimate users, while positive feedback is often crafted by the attackers.
- Focus on the permissions requested by the app. If they seem inadequate for the app’s functions, avoid downloading the app.
- Use a reputable mobile security solution to protect your device.
