Malware researchers have just spotted the Cerber ransom note in the source code of two Android applications. Accechiamoli and ForzaFò apps, which includes the infamous README.hta file, can be downloaded directly from Google Play store. This discovery might look worrying and terrifying that developers of the hazardous malware decided to expand their target field. However, we can reveal that it’s not an issue. A new malicious campaigned aimed at Android devices hasn’t been launched. Thus, the virus still affects Windows OS users only. Therefore, Italian Foggia Calcio football club fans should not be worried about the possibility to get infected with ransomware.
ESET security team scanned these two applications looking for the Cerber payload. However, they did not find anything suspicious and potentially dangerous to the Android devices. The scanner only detected README.hta file – the Cerber ransom note. According to the ESET mobile security expert Lukas Stefanko, one of the reasons why this file ended up on in these applications is that the developer Francesco Pio Recchia was the victim of the Cerber. During the attack, the virus drops ransom note in each folder that contains encrypted files. Hence, if the developer haven’t performed removal of these files, it might have been left in the application’s icon folder. Another assumption suggests that the designer of the icons that are used in Accechiamoli and ForzaFò applications might have suffered from the Cerber. Thus, ransom note might have been accidentally left in the icons folder. Meanwhile, the developer did not check it and simply copy-pasted it. Though, the ransom note was just unnoticed. However, it’s just assumptions. The truth what have happened actually is still unknown.
Nevertheless, HTA files might be used for spreading file-encrypting viruses; it’s not the case. The README.hta file is not malicious and does not include the attack code. Security programs identify it as malicious, but the truth is it cannot cause any damage to the device. It just includes instructions what hackers want victims to do after ransomware attack. The ransom note includes information about data encryption and demands to pay the ransom in order to get them back. Victims are asked to transfer some Bitcoins via special Cerber payment website which can be accessed using Tor browser only. However, we want to remind that victims of the ransomware should not follow cyber criminals’ order. Paying the ransom does not guarantee that you get back access to your files.