Android/Filecoder.C Mobile Malware

Android/Filecoder.C Mobile Malware


"Android/Filecoder.C" is an android ransomware that has been discovered by ESET in 12th July 2019. This ransomware can affect android versions 5.1 and above. The attackers misuse "xda-developers" and "reddit" websites to distribute the malware by sending malicious posts containing malware related links whereas the topics are mostly porn-related or in some cases tech-related to lure the users to click.

After being installed on victim's device and before starting to encrypt the files, this ransomware sends SMS with malicious links to all of the contacts in the victim's contact list, to increase the victims.

By clicking on the malicious links in the mentioned websites or clicking on the links contained in the received SMS, the user will be the victim of the malware and a lot of files in the device will be encrypted and actually will be useless. To decrypt the locked files and to access them again, the victim should pay the requested ransom to the bitcoin address provided by the attacker.

It should be noted that unlike typical android ransomware, Android/Filecoder.C doesn't prevent use of the device by locking the screen, but if the victim removes the app, the ransomware will not be able to decrypt the files. Meanwhile this malware does NOT encrypt the following files:

  • files in directories that contain the strings ".cache", "tmp" or "temp"
  • files with ".zip" or ".rar" extensions
  • files with a file size more than 50 MB
  • ".jpeg", ".jpg" and ".png" files with a file size less than 150 KB
  • some typical android extensions such as .apk and .dex

C&C server addresses used by the ransomware are as follows:

Symptoms of infection
  • ransom note displayed on the screen (at the end of the encryption process)
  • lots of files became useless because of the encryption applied, such as pictures and videos
  • a lot of files with ".seven" extension generated on the device
Methods of Clearing Mobile Infected

It is not possible to use the encrypted files again, until the decryption key is available, and after removing the malicious application, the encrypted files cannot be recovered any more.

Methods of Infection Prevention

The following recommendations can play a significant role in preventing the mobile phones from being infected by the above-mentioned malwares.

  • Download and install applications from the trusted sources
    To minimize probability of installing malware, it is better to download and install applications from trusted sources like Google play store; though there is still probability of installing malware from any source, based on the observed security news.
  • Updating android operating system of the device
    To prevent hackers from exploiting the known android vulnerabilities, it is better to update the android operating system to the latest version, existing for the device.
  • Consider permissions required from the application to be installed
    During installation of android applications, they request some permissions to be accepted by the user. It is very important to prevent installing if it requires more permissions than needed; considering the functionality it provides (based on the developer's explanations about the application).
  • Check the ratings and reviews about the application
    Prior to installing any app, check its ratings and reviews. Focus on the negative ones, as they often come from legitimate users, while positive feedback is often crafted by the attackers.
  • Install anti-virus software and update it periodically
    In recent years, the widespread prevalence of malware and viruses on android mobile devices caused many problems for smart phone users, so installing an anti-virus program is one of the essentials to prevent the android devices to be infected and malwares to be spread.

also notice that always use a trusted and reliable anti-virus program and update it periodically to detect newly released malwares as soon as possible.