Despite the belief by many that smartphones are virtually unhackable, hackers and cybercriminals wouldn’t dare leave a market as large as that powered by Android untouched. There are simply too many opportunities and too many people who fall for the security fallacy.

Filecoder.C’s First Appearance

Previous versions of Android ransomware have not been particularly successful. Still, in the summer of 2019, ESET Mobile Security detected a new form of ransomware dubbed Android/Filecoder.C, which was making it through various online forums as tantalizing clickbait. Once this ransomware worms its way onto a single smartphone, it opens up the victim’s contact list and uses SMS messages to spread itself through malicious links.

Table of Contents

(Guide) New Android Ransomware Aims to Strike Through Message Boards

So far, a lack of execution is working against the Android/Filecoder.C, limiting its victim count. Still, the emergence of this first wave of Android malware is just an early warning sign that a flood of malware targeted at Android users is on its way.

Android/Filecoder.C’s First Appearance –

The first noted appearance of Android/Filecoder.C came on 12 July 2019 when it was found via a malicious post on two websites: the infinitely popular Reddit forums and XDA Developers, a forum for Android developers.

When XDA Developers realized the error, they quickly removed the post, but Reddit, which has seemingly millions of posts per day, never did take the infected post down. The malware campaign has two domains that are controlled by its attackers, and the attack method is more or less a classic phishing campaign where victims are lured by posting or commenting on the posts on Reddit or the XDA Developers site. Once there, the malicious Android files are downloaded. Without quality anti-malware security in place on the phone, there is little chance that the user ever even notices the transfer until it is far too late. A large number of malicious posts are technical to lure the developers or pretend to contain some pornography, to attract the most significant number of general interest clicks on Reddit. Once on a machine, the ransomware quickly spreads to other devices via SMS messages that leave no trace on the original machine. In the case of the adult posts, it usually contains an adult-centric game for the phone that downloads correctly, although it has the hidden files attached that first download, then begin triggering malicious messages threatening to delete all a user’s files if they do not submit to the request to have Bitcoin sent to a specific email address in a particular amount.

Android Ransomware

The ransomware can encrypt all files except system files, meaning a user can turn the phone on and off, but cannot do anything else. A screen will then appear showing a time limit to pay (usually 72 hours) along with how many files are being held hostage and the cost of getting them back.

As is almost always the case in ransomware, there is no guarantee that the cybercriminals can, or even know-how, to restore access to your files once the ransom has been paid, so always take that demand with a grain of salt. The protection you can put on your phone is a lot more cost-efficient. In many cases, it is safer to switch to a new phone that has backup points or much better security.