A hacker has been using links to a porn app to trick users into installing a new Android ransomware strain.

The ransomware, dubbed "Android/Filecoder.C" has been circulating over on Reddit and the XDA Developers forum, according to Luka Stefanko, a researcher with antivirus firm ESET. The hacker behind the malicious code has been posting links to a "sex simulator" app, telling users to try it out. But in reality, the links will download the ransomware to the victim's phone.

Once the app is manually sideloaded, the ransomware will try to spread to other Android devices. It'll do this by going through the victim's contact list, and sending SMS messages to all the phone numbers it can find. Each message will contain a link to download the sex simulator app.

"To maximize its reach, the ransomware has the 42 language versions of the message template," Stefanko said. To trick unsuspecting victims, the SMS message will claim the contact's personal photos have been uploaded to the sex simulator app.

After the malicious SMS messages have been sent out, the ransomware will then proceed to encrypt the data on the victim's phone. Once completed, a ransom note will be displayed over the screen, demanding the victim pay about $94 to $188 in Bitcoin to recover their data. If they don't, the encrypted data will be erased after 72 hours.

However, Stefanko said the newly-discovered ransomware strain has some flaws. "According to our analysis, there is nothing in the ransomware's code to support the claim that the affected data will be lost after 72 hours," he said in today's research note. The encryption process can also be reversed without paying the hacker; the special key to decrypt the files is actually present in the ransomware's code, and appears to be the same across all versions of the Android/Filecoder.C ransomware, he noted.

"Due to narrow targeting and flaws in both execution of the campaign and implementation of its encryption, the impact of this new ransomware is limited," he said. "However, if the developers fix the flaws and the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat."

The ransomware campaign has been active since at least July 12. One link the hacker used to spread the malicious was clicked on 59 times. However, the Bitcoin address used to accept the ransom payments has so far received no transactions.

To avoid malware on Android, it's best to download apps only from the Google Play Store. Although the store isn't perfect at stopping all threats, Google tries to vet every app for malware. You can also consider installing antivirus software on your phone.

Further Reading

Security Reviews