Self-replicating malware is not new but it is scary and an alert from ESET this morning has us shaking in our Android powered boots.

The reason for this is a new ransomware family ESET has dubbed Android/Filecoder.C which is able to not only encrypt a user’s data but also spread itself by way of text messages.

Discovered on Reddit, Android/Filecoder.C was being distributed on porn-related subreddits and discussions. The profile that was used to distribute the ransomware was identified by ESET but it says the account remains active following the alert.

Before the ransomware begins encrypting the device it fires off a flurry of text messages containing links that when clicked will download a installation file.

“In theory, this can lead to a flood of infections – more so that the malware has 42 language versions of the malicious message. Fortunately, even non-suspecting users must notice that the messages are poorly translated, and some versions do not seem to make any sense,” ESET researcher, Lukáš Štefanko, explained.

The creators of Android/Filecoder.C also don’t seem to be the most professional cybercriminals around, according to the researcher.

“The campaign we discovered is small and rather amateurish. Also, the ransomware itself is flawed – especially in terms of the encryption which is poorly implemented. Any encrypted files can be recovered without help from the attackers,” said Štefanko.

In addition to that, Štefanko says that the ransomware doesn’t lock the device and prevent users from using it. That means that while your phone is encrypted (and poorly) you could still use it. Whether you should however is a debate for another day.

The ransom demanded also ranges from 0.01 to 0.02 Bitcoin with ransoms being randomly assigned according to the UserID of a victim.

“The trick with a unique ransom is novel: we haven’t seen it before in any ransomware from the Android ecosystem,” says Štefanko, “It is probably meant to assign payments to victims. This task is typically solved by creating a unique Bitcoin wallet for every encrypted device. In this campaign, we’ve only seen one Bitcoin wallet being used,” concluded Štefanko.

While this ransomware may not pose much of a threat right now ESET notes that with some tweaking and fixing of flaws, the Android/Filecoder.C ransomware could be come a formidable tool in the cybercrime arsenal.

[Image – CC BY SA 2.0 Buster Benson]