Many people keep their most important files on a mobile device without ever thinking about backing them up to a computer. That makes their phones a prime target for ransomware, and there’s a new attack spreading to Android phones right now. The new Android Filecoder.C malware uses weird “sex simulator” landing pages to trick people into downloading it, but you’ll pay for that click with more than your self-respect.
The Filecoder.C malware first appeared on Reddit and XDA Forums as spammy messages directing people to the aforementioned sex simulator. Yes, people clicked on the links, and at least some of them downloaded the app. Eset says the infection has spread mainly via text messages, but thankfully, the scale is still small.
Android has more robust system controls than Windows, which prevents apps from installing in the background when you visit a malicious website. Thus, the only way to become infected with Filecoder.C is to download the APK, bypass the download warning, launch the installer, turn on the system’s “unknown sources” feature, and tap through one more warning about app permissions.
After installation, Filecoder.C searches a device for documents, photos, videos, and various other files. It encrypts them and generates a private-public key pair. The private key gets uploaded to a command and control server, and the public one stays on the device. Unlike some other Android ransomware, Filecoder.C doesn’t lock down the entire device, and it doesn’t touch APK files. That suggests it was adapted from desktop malware like WannaCry.
As usual with ransomware, the program presents a payment screen that explains data has been encrypted. The only way to unlock the files is to pay some Bitcoin — in this case, the amount is randomly generated and falls between $94 and $188 at current prices. The malware promises to send the private key to the device for decryption after the victim pays.
While all this happens, Filecoder.C also sends SMS messages to all the victim’s contacts with some variation on the sex simulator message. It has 42 languages hardcoded and chooses the one that matches the device language setting.
Consider this just one more reason why you shouldn’t download suspicious apps on the internet. Security firm Eset says that is the first line of defense for users. Keeping backups of your files is a good idea as well. The malware makers don’t have leverage over you if you stand to lose nothing.