Android/Filecoder.C malware attacking Android OS via Reddit

Android/Filecoder.C – the new ransomware targetting Android OS via tech forums and SMS messages

Ransomware attacks Androids via tech forums and SMS texts

Ransomware actors have just started using quite an odd way to spread their malware. A virus dubbed Android/Filecoder.C has been found on Reddit where it was spread via the infectious link which brings the user to a sex simulation game. While some users might be attracted to the game, the ransomware starts working in the background on the system. It also connects with the command and control server to launch its modules.

According to experts, malware strain was spotted active since July 12 in Reddit forums that were filled with porn-based posts that, in fact, were the ransomware virus.^[1] Additionally, it was detected spreading via the mobile text messages.

The most surprising thing is that the Android/Filecoder.C has even been spotted on other technology forums for Android users, e.g. XDA Developers.^[2] It is clear that the bad actors have been trying to infect as many users as possible and gather more income from them.

Infectious messages can be sent in 42 different languages regarding the mobile phone's settings

As we have mentioned, the ransomware has also been found spreading via mobile text messages. If the victim is tricked into accessing the link, the suspicious message is sent to the entire contact list by claiming false things such as that the contact's pictures have been brought to the sex-based game:

These messages include links to the ransomware; to increase the potential victims’ interest, the link is presented as a link to an app that supposedly uses the potential victim’s photos.

In fact, the accessed link truly does display a game based on sex simulation, however, this is the moment when Android/Filecoder.C starts operating in the background. What it does first, as we have already mentioned, is making contact with the C&C server and sending tricky messages to the entire contact list.^[3]

What is even more interesting, the malware includes up to 42 versions of different languages and sends a text message to potential victims regarding the language of the targetted Android device.^[4]

Afterward, the encryption process begins and overtakes a big variety of files and documents. However, according to experts, there are some types of components that do not fall in the area of encryption activities:

• .zip and .rar files that take over 51,200 KB of size.
• .jpg, .jpeg, and .png files that take space less than 150 KB.

72 hours are given to pay the ransom

As Android/Filecoder.C operating principle is ransomware-based, bad actors do not go without a ransom demand. Users who are infected with this malware are provided with a note that urges a transfer in Bitcoin in exchange for unlocking blocked data. For a bigger threat, hackers scare victims that important content will be permanently deleted after 72 hours of silence.

Choosing to believe in such claims or not is your own option, however, we suggest to hardly doubt these people as crooks are not only hackers but they often appear to be scammers too. Transferring the demanded ransom price does not give you any guarantees that you will truly receive the decryption tool. Supposedly, you will be left with useless monetary losses and that is it.

There have been numerous ransomware viruses already released and some are more popular than others. If you are an intense researcher and read the IT news daily, you might have heard about other commonly spread malware. For example, one of the most popular threats – GandCrab was used in different types of cyberattacks but seems to be coming up to an end now.^[5]