New Android Ransomware Spreads Through Forum Posts and Customized Texts

Cyber extortionists have created new ransomware that encrypts files on Google Android devices. Find out how this ransomware infiltrates devices so you can avoid becoming a victim.

A new family of ransomware known as Android/Filecoder.C has been discovered. The initial infection occurs when Google Android device users download a malicious app by means of a link or quick response (QR) code in a forum post. Once on a device, the ransomware tries to spread itself by sending text messages to everyone on the victim’s contact list. Each message is customized with the recipient’s name to make the text seem more legitimate.

This ransomware could become a serious threat if the cybercriminals start targeting broader groups of users, according to security researchers. To avoid becoming a victim of this ransomware and similar variants, it helps to dissect past Android/Filecoder.C attacks to see how the ransomware infiltrated victims’ devices.

The Infiltration

When it comes to ransomware, looking at past attacks can help you prepare for new ones. Here is how the Android/Filecoder.C attacks in July and August 2019 were typically carried out:

To initially get the ransomware onto devices, cybercriminals posted messages in popular online forums such as Reddit and XDA Developers (a forum for mobile software developers). While most of the comments were porn-related, some dealt with technical topics.

The posted messages contained a malicious link or quick response (QR) code. In some cases, the hackers used the Bitly URL shortening service (aka “” links) to hide the links’ real addresses. Other times, the hackers made no attempt to hide the links, which typically ended in “.apk”. Android Package Kit (APK) files are used to distribute and install mobile apps on Android devices. Cybercriminals sometimes hide malware in these files.

People who clicked the links or scanned the QR codes in the forum posts had Android apps containing Android/Filecoder.C automatically downloaded to their devices. When the victims launched the malicious apps, the apps displayed whatever was promised so the victims would not be immediately aware their devices were infected with ransomware. Nor were they aware that the ransomware was sending text messages to the people in their contact lists. The text messages tried to lure the recipients into downloading malicious apps. The messages included the recipients’ names to make them seem more legitimate.

Once the text messages were sent, the ransomware went to work encrypting more than 175 types of files and appending the file extension “.seven” to the original filenames (e.g.,, However, unlike some ransomware, Android/Filecoder.C did not lock the devices’ screens or prevent the devices from being used.

After the all files were encrypted, Android/Filecoder.C displayed its ransom note. The victims were instructed to pay the ransom in bitcoins. The amounts varied, usually ranging from $98 to $188 [USD]. Although the ransom note stated that the victims would lose their data if they did not pay within 72 hours, security researchers found nothing in the ransomware’s code to support that claim.

Be Cautious

Being cautious can go a long way in avoiding becoming a victim of Android/Filecoder.C and similar ransomware variants. For starters, you should avoid clicking links (especially if they end in “” or “.apk”) and scanning QR codes in online forums and similar public venues. Typically, anyone can post messages — including cybercriminals — in forums. Even clicking links and scanning QR codes in a moderated forum can be risky. Forum owners might initially allow all messages to be posted, with a moderator reading them days later or only if there is a complaint.

Similarly, you should avoid clicking links in text and email messages from unknown sources. Clicking links can be risky even if a message is supposedly from someone you know. As the Android/Filecoder.C ransomware demonstrates, hackers know how to hijack text accounts. They are also skilled at hijacking email accounts. So, if a text or email message supposedly from someone you know seems odd, you might want to give the person a call to see if they sent it.

Besides being cautious about links and QR codes, you should be leery about installing apps from third-party sources on your device. It is best to install apps only from official stores like Google Play. Although a few malicious apps find their way into these stores, the risk is much greater if you download apps from third-party sources.

Even if an app is in an official store, you should research the app before downloading it. Reading the app’s reviews in the store and conducting Internet searches on the app might reveal security issues. Plus, you should find out the apps’ permissions. If they seem excessive for the types of functions performed by the app, you should avoid downloading it.

Be Proactive

Besides being cautious, you need to take preemptive measures to protect your device from Android/Filecoder.C. If you do not already have a mobile security solution installed on your device, it is time to get one. Mobile security solutions detect and block known types of malware, including ransomware. Some security solutions even scan apps for suspicious activity before you download them.

Another important measure is to make sure the software on your Android device is being regularly updated so that known vulnerabilities are patched. This reduces the number of exploitable entry points in your device. By default, the Android operating system and any apps you install from Google Play are automatically updated. It is a good idea, though, to make sure the updates are being installed. Plus, you need to make sure that updates for other apps are being installed.

Regularly backing up your mobile device is also important when it comes to ransomware. Although having restorable backups won’t help prevent a ransomware attack, you won’t have to pay the cyber-extortionists to get your files back if an infection occurs.

Android flickr photo by dungodung shared under a Creative Commons (BY-SA) license

How to Protect Your Sensitive Business Files with Passwords

Protecting a file with a password can provide an extra layer of security for sensitive business documents. Learn how to password-protect your files in Microsoft Word, Excel, and PowerPoint.

This can come in handy if you want to, for example, email a report that contains your company’s sales figures or bring it along on a business trip.

Three Microsoft Office apps — Word, Excel, and PowerPoint — offer the ability to password-protect files. As Table 1 shows, this feature is available in nearly all supported versions.

Table 1: Microsoft Office Apps in Which You Can Password-Protect Files

Word Excel PowerPoint
Word for Office 365* Excel for Office 365* PowerPoint for Office 365*
Word 2019* Excel 2019* PowerPoint 2019*
Word 2016* Excel 2016* PowerPoint 2016*
Word 2013** Excel 2013** PowerPoint 2013**
Word 2010** Excel 2010** PowerPoint 2010**
  * Uses 256-bit AES encryption
** Uses 128-bit AES encryption

Before you protect a file, though, you should take the time to come up with a unique, strong password for it. Otherwise, it might be easy for someone to guess or crack it. And if you tend to forget credentials, you might want to keep a copy of the file’s password in a safe location. While not ideal, it beats not being able to open and use the file ever again. The apps do not have the ability to recover or reset a forgotten password.

How to Password Protect a File

Protecting files with a password is a straightforward process. Plus, the steps are easy to remember, as they are basically the same no matter whether your password-protecting a Word document, Excel workbook, or PowerPoint presentation.

To password protect a file, open it in the appropriate app and follow these steps:

  1. Click the “File” tab in the upper left corner.
  2. In the “Info” section, click “Protect Document” if you are in Word, “Protect Workbook” if you are in Excel, or “Protect Presentation” if you are in PowerPoint.
  3. In the drop-down menu that appears, select “Encrypt with Password”.
  4. Enter the password you want to use and click “OK”.
  5. Re-enter the password and click “OK”.
  6. Save and close the file.

When you later open the file, you will be prompted to enter the password you selected.

How to Remove Password Protection

You can remove a file’s password protection at any time. To do so, open the file in the appropriate app and follow these steps:

  1. Click the “File” tab in the upper left corner.
  2. In the “Info” section, click “Protect Document” if you are in Word, “Protect Workbook” if you are in Excel, or “Protect Presentation” if you are in PowerPoint.
  3. In the drop-down menu that appears, select “Encrypt with Password”.
  4. Delete the displayed password (it will be masked with asterisks) and click “OK”.
  5. Save and close the file.

You will no longer have to enter the password to open the file.

Password flickr photo by wuestenigel shared under a Creative Commons (BY) license