Filecoder Ransomware Spreads via SMS Disguised as Adult Game

By Ava McKinneyOnline Safety

Filecoder Ransomware Spreads via SMS Disguised as Adult Game

Security experts at ESET have reported on a new Android malware called Android/Filecoder.C (hereafter referred to as Filecoder), which was actively spreading in July 2019 through SMS messages and QR codes posted in pornography-related sections on Reddit and the XDA Developers forum. The malware was disguised as a free online sex simulator game. Currently, Filecoder targets devices running Android 5.1 or later.

How Filecoder Spreads

Researchers noted that the XDA forum administration removed malicious posts after receiving complaints, but links on Reddit were still active when ESET analysts published their report. To hide suspicious URLs, attackers used the bit.ly link shortening service. These QR codes led to malicious APK files—infected apps that request the following permissions:

  • android.permission.SET_WALLPAPER
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.READ_CONTACTS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.SEND_SMS
  • android.permission.INTERNET

Once installed, the malicious app sends text messages to the victim’s entire contact list, urging recipients to click a link and download the malware themselves. The messages claim that the victim’s photos have been added to a porn app.

Multilingual Scam Messages

The scam messages are written in 42 languages, but a careful user might notice something is off: the translations are poor, and the SMS texts often consist of nonsensical word combinations.

File Encryption and Ransom Demand

After infection, the malware encrypts files on the victim’s device. However, the list of file extensions targeted for encryption is unusual, including types not typically associated with Android. Some files are left unencrypted: .zip or .rar files larger than 50 MB (51,200 KB), and .jpeg, .jpg, and .png files smaller than 150 KB.

“It appears the list of extensions was copied from the one used in the infamous WannaCry campaign,” noted ESET expert Lukas Stefanko.

Victims then receive a notification demanding a ransom payment in Bitcoin, threatening that all files will be deleted after 72 hours if payment is not made. However, ESET analysts did not find any code in the ransomware that would actually delete files after a set time.

Unique Features of Filecoder

Unlike most Android ransomware, Filecoder does not lock the victim’s screen, allowing continued use of the device. Notably, each victim is assigned a unique ransom amount between 0.01 and 0.02 Bitcoin (about $90 to $180 at the time, or 6,000 to 12,000 rubles).

“A unique ransom amount is a novelty; we have never seen this model used against Android users before,” wrote Stefanko. “Overall, the campaign appears unprofessional. However, if the distribution method is improved, this ransomware could become a serious threat.”

Leave a Reply