{
	"id": "7ac88882-29bd-4609-af4a-43a5502b960e",
	"created_at": "2026-04-06T00:06:49.847738Z",
	"updated_at": "2026-04-10T03:20:17.005764Z",
	"deleted_at": null,
	"sha1_hash": "7cacb880e6fce22d24bf37c0bb8c01399946f1dc",
	"title": "Android ransomware is back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1721655,
	"plain_text": "Android ransomware is back\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 14:07:46 UTC\r\nUPDATE (July 30th, 2019): Due to rushing with the publication of this research – in order to warn about this\r\nthreat as soon as possible – we erroneously stated that “because of the hardcoded key value that is used to\r\nencrypt the private key, it would be possible to decrypt files without paying the ransom by changing the encryption\r\nalgorithm to a decryption algorithm”. However, this “hardcoded key” is an RSA-1024 public key, which can’t be\r\neasily broken, hence creating a decryptor for this particular ransomware is close to impossible. Hat tip goes to\r\nAlexey Vishnyakov from Positive Technologies who drew our attention to this inaccuracy.\r\nAfter two years of decline in Android ransomware, a new family has emerged. We have seen the ransomware,\r\ndetected by ESET Mobile Security as Android/Filecoder.C, distributed via various online forums. Using victims’\r\ncontact lists, it spreads further via SMS with malicious links. Due to narrow targeting and flaws in execution of\r\nthe campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader\r\ngroups of users, the Android/Filecoder.C ransomware could become a serious threat.\r\nAndroid/Filecoder.C has been active since at least July 12th, 2019. Within the campaign we discovered,\r\nAndroid/Filecoder.C has been distributed via malicious posts on Reddit and the “XDA Developers” forum, a\r\nforum for Android developers. We reported the malicious activity to XDA Developers and Reddit. The posts on\r\nthe XDA Developers forum were removed swiftly; the malicious Reddit profile was still up at the time of\r\npublication.\r\nAndroid/Filecoder.C spreads further via SMS with malicious links, which are sent to all contacts in the victim’s\r\ncontact list.\r\nAfter the ransomware sends out this batch of malicious SMSes, it encrypts most user files on the device and\r\nrequests a ransom.\r\nUsers with ESET Mobile Security receive a warning about the malicious link; should they ignore the warning and\r\ndownload the app, the security solution will block it.\r\nDistribution\r\nThe campaign we discovered is based on two domains (see the IoCs section below), controlled by the attackers,\r\nthat contain malicious Android files for download. The attackers lure potential victims to these domains via\r\nposting or commenting on Reddit (Figure 1) or XDA Developers (Figure 2).\r\nMostly, the topics of the posts were porn-related; alternatively, we’ve seen also technical topics used as a lure. In\r\nall comments or posts, the attackers included links or QR codes pointing to the malicious apps.\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 1 of 14\n\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 2 of 14\n\nFigure 1. The attacker’s Reddit profile with malicious posts and comments\r\nFigure 2. Some of the attackers’ malicious posts on the XDA Developers forum\r\nIn one link that was shared on Reddit, the attackers used the URL shortener bit.ly. This bit.ly URL was created on\r\nJun 11, 2019 and as seen in Figure 3 its statistics show that, at the time of writing, it had reached 59 clicks from\r\ndifferent sources and countries.\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 3 of 14\n\nFigure 3. Statistics for the bit.ly link shared on Reddit during the ransomware campaign\r\nSpreading\r\nAs previously mentioned, the Android/Filecoder.C ransomware spreads links to itself via SMS messages to all the\r\nentries in the victim’s contact list.\r\nThese messages include links to the ransomware; to increase the potential victims’ interest, the link is presented as\r\na link to an app that supposedly uses the potential victim’s photos, as seen in Figure 4.\r\nTo maximize its reach, the ransomware has the 42 language versions of the message template seen in Figure 5.\r\nBefore sending the messages, it chooses the version that fits the victim device’s language setting. To personalize\r\nthese messages, the malware prepends the contact’s name to them.\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 4 of 14\n\nFigure 4. An SMS with a link to the ransomware; this language variant is sent if the sending device has the\r\nlanguage set to English\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 5 of 14\n\nFigure 5. A total of 42 language versions that are hardcoded in the ransomware\r\nFunctionality\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 6 of 14\n\nOnce potential victims receive an SMS message with the link to the malicious application, they need to install it\r\nmanually. After the app is launched, it displays whatever is promised in the posts distributing it – most often, it’s a\r\nsex simulator online game. However, its main purposes are C\u0026C communication, spreading malicious messages\r\nand implementing the encryption/decryption mechanism.\r\nAs for C\u0026C communication, the malware contains hardcoded C\u0026C and Bitcoin addresses in its source code.\r\nHowever, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free\r\nPastebin service.\r\nFigure 6. An example of a set of addresses for the ransomware to retrieve C\u0026C addresses\r\nThe ransomware has the ability to send text messages, due to having access to the user’s contact list. Before it\r\nencrypts files, it sends a message to each of the victim’s contacts using the technique described in the “Spreading”\r\nsection above.\r\nNext, the ransomware goes through files on accessible storage – meaning all the device’s storage except where\r\nsystem files reside - and encrypts most of them (see the “File encryption mechanism” section below). After the\r\nfiles are encrypted, the ransomware displays its ransom note (in English) as seen in Figure 7.\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 7 of 14\n\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 8 of 14\n\nFigure 7. A ransom note displayed by Android/Filecoder.C\r\nIt is true that if the victim removes the app, the ransomware will not be able to decrypt the files, as stated in the\r\nransom note. Also, according to our analysis, there is nothing in the ransomware’s code to support the claim that\r\nthe affected data will be lost after 72 hours.\r\nAs seen in Figure 8, the requested ransom is partially dynamic. The first part of what will be the amount of\r\nbitcoins to be requested is hardcoded – the value is 0.01 – while the remaining six digits are the user ID generated\r\nby the malware.\r\nThis unique practice may serve the purpose of identifying the incoming payments. (In Android ransomware, this is\r\ntypically achieved by generating a separate Bitcoin wallet for each encrypted device.) Based on the recent\r\nexchange rate of approximately US$9,400 per bitcoin, the derived ransoms will fall in the range US$94-188\r\n(assuming that the unique ID is generated randomly).\r\nFigure 8. How the malware calculates the ransom\r\nUnlike typical Android ransomware, Android/Filecoder.C doesn’t prevent use of the device by locking the screen.\r\nAs seen in Figure 9, at the time of writing, the mentioned Bitcoin address, which can be dynamically changed but\r\nwas the same in all cases we’ve seen, has recorded no transactions.\r\nFigure 9. The Bitcoin address used by the attackers\r\nFile encryption mechanism\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 9 of 14\n\nThe ransomware uses asymmetric and symmetric encryption. First, it generates a public and private key pair. This\r\nprivate key is encrypted using the RSA algorithm with a hardcoded public key stored in the code and sent to the\r\nattacker’s server. The attacker can decrypt that private key and, after the victim pays the ransom, send that private\r\nkey to the victim to decrypt their files.\r\nWhen encrypting files, the ransomware generates a new AES key for each file that will be encrypted. This AES\r\nkey is then encrypted using the public key and prepended to each encrypted file, resulting in the following pattern:\r\n( (AES)public_key + (File)AES ).seven\r\nThe file structure is seen in Figure 10.\r\nFigure 10. Overview of encrypted file structure\r\nThe ransomware encrypts the following filetypes, by going through accessible storage directories:\r\n“.doc\", \".docx\", \".xls\", \".xlsx\", \".ppt\", \".pptx\", \".pst\", \".ost\", \".msg\", \".eml\", \".vsd\", \".vsdx\", \".txt\", \".csv\", \".rtf\",\r\n\".123\", \".wks\", \".wk1\", \".pdf\", \".dwg\", \".onetoc2\", \".snt\", \".jpeg\", \".jpg\", \".docb\", \".docm\", \".dot\", \".dotm\",\r\n\".dotx\", \".xlsm\", \".xlsb\", \".xlw\", \".xlt\", \".xlm\", \".xlc\", \".xltx\", \".xltm\", \".pptm\", \".pot\", \".pps\", \".ppsm\", \".ppsx\",\r\n\".ppam\", \".potx\", \".potm\", \".edb\", \".hwp\", \".602\", \".sxi\", \".sti\", \".sldx\", \".sldm\", \".sldm\", \".vdi\", \".vmdk\", \".vmx\",\r\n\".gpg\", \".aes\", \".ARC\", \".PAQ\", \".bz2\", \".tbk\", \".bak\", \".tar\", \".tgz\", \".gz\", \".7z\", \".rar\", \".zip\", \".backup\", \".iso\",\r\n\".vcd\", \".bmp\", \".png\", \".gif\", \".raw\", \".cgm\", \".tif\", \".tiff\", \".nef\", \".psd\", \".ai\", \".svg\", \".djvu\", \".m4u\", \".m3u\",\r\n\".mid\", \".wma\", \".flv\", \".3g2\", \".mkv\", \".3gp\", \".mp4\", \".mov\", \".avi\", \".asf\", \".mpeg\", \".vob\", \".mpg\", \".wmv\",\r\n\".fla\", \".swf\", \".wav\", \".mp3\", \".sh\", \".class\", \".jar\", \".java\", \".rb\", \".asp\", \".php\", \".jsp\", \".brd\", \".sch\", \".dch\",\r\n\".dip\", \".pl\", \".vb\", \".vbs\", \".ps1\", \".bat\", \".cmd\", \".js\", \".asm\", \".h\", \".pas\", \".cpp\", \".c\", \".cs\", \".suo\", \".sln\", \".ldf\",\r\n\".mdf\", \".ibd\", \".myi\", \".myd\", \".frm\", \".odb\", \".dbf\", \".db\", \".mdb\", \".accdb\", \".sql\", \".sqlitedb\", \".sqlite3\", \".asc\",\r\n\".lay6\", \".lay\", \".mml\", \".sxm\", \".otg\", \".odg\", \".uop\", \".std\", \".sxd\", \".otp\", \".odp\", \".wb2\", \".slk\", \".dif\", \".stc\",\r\n\".sxc\", \".ots\", \".ods\", \".3dm\", \".max\", \".3ds\", \".uot\", \".stw\", \".sxw\", \".ott\", \".odt\", \".pem\", \".p12\", \".csr\", \".crt\",\r\n\".key\", \".pfx\", \".der\"\r\nHowever, it doesn’t encrypt files in directories that contain the strings “.cache”, “tmp”, or “temp”.\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 10 of 14\n\nThe ransomware also leaves files unencrypted if the file extension is “.zip” or “.rar” and the file size is over\r\n51,200 KB/50 MB, and “.jpeg”, “.jpg” and “.png” files with a file size less than 150 KB.\r\nThe list of filetypes contains some entries unrelated to Android and at the same time lacks some typical Android\r\nextensions such as .apk, .dex, .so. Apparently, the list has been copied from the notorious WannaCryptor aka\r\nWannaCry ransomware.\r\nOnce the files are encrypted, the file extension “.seven” is appended to the original filename, as seen in Figure 11.\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 11 of 14\n\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 12 of 14\n\nFigure 11. Encrypted files with the extension “.seven”\r\nDecryption mechanism\r\nCode to decrypt encrypted files is present in the ransomware. If the victim pays the ransom, the ransomware\r\noperator can verify that via the website seen in Figure 12 and send the private key to decrypt the files.\r\nFigure 12. Ransom payment verification web page\r\nHow to stay safe\r\nFirst of all, keep your devices up to date, ideally set them to patch and update automatically, so that you\r\nstay protected even if you’re not among the most security savvy users.\r\nIf possible, stick with Google Play or other reputable app stores. These markets might not be completely\r\nfree from malicious apps, but you have a fair chance of avoiding them.\r\nPrior to installing any app, check its ratings and reviews. Focus on the negative ones, as they often come\r\nfrom legitimate users, while positive feedback is often crafted by the attackers.\r\nFocus on the permissions requested by the app. If they seem inadequate for the app’s functions, avoid\r\ndownloading the app.\r\nUse a reputable mobile security solution to protect your device.\r\nIndicators of Compromise (IoCs)\r\nHash ESET detection name\r\nB502874681A709E48F3D1DDFA6AE398499F4BD23 Android/Filecoder.C\r\nD5EF600AA1C01FA200ED46140C8308637F09DFCD Android/Filecoder.C\r\nB502874681A709E48F3D1DDFA6AE398499F4BD23 Android/Filecoder.C\r\nF31C67CCC0D1867DB1FBC43762FCF83746A408C2 Android/Filecoder.C\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 13 of 14\n\nBitcoin address\r\n16KQjht4ePZxxGPr3es24VQyMYgR9UEkFy\r\nServers\r\nhttp://rich7[.]xyz\r\nhttp://wevx[.]xyz\r\nhttps://pastebin[.]com/raw/LQwGQ0RQ\r\nContact e-mail address\r\nh3athledger@yandex[.]ru\r\nAffected Android versions\r\nAndroid 5.1 and above\r\nSource: https://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nhttps://www.welivesecurity.com/2019/07/29/android-ransomware-back/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2019/07/29/android-ransomware-back/"
	],
	"report_names": [
		"android-ransomware-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7cacb880e6fce22d24bf37c0bb8c01399946f1dc.pdf",
		"text": "https://archive.orkl.eu/7cacb880e6fce22d24bf37c0bb8c01399946f1dc.txt",
		"img": "https://archive.orkl.eu/7cacb880e6fce22d24bf37c0bb8c01399946f1dc.jpg"
	}
}