Koler ransomware variant targets Android users in Canada

Rather than encrypting files, Koler makes devices practically unusable by locking up screens with fake government warnings.
Rather than encrypting files, Koler makes devices practically unusable by locking up screens with fake government warnings.

A variant of Android ransomware known as Koler is being distributed as part of a campaign targeting users in Canada, according to Appthority.

Koler is a type of ransomware that makes mobile devices practically unusable by locking up screens with fake government warnings, rather than by encrypting files. The malware then demands a ransom in order for the device to be returned to normal functionality.

To infect devices, the threat actors – who Appthority believes to be located in and operating out of Eastern Europe – set up malicious adult websites to distribute the malware, Irfan Asrar, senior research scientist at Appthority, told SCMagazine.com in a Monday email correspondence.

So far infection rates are estimated to be in the thousands, Asrar said.

“The operators behind this are using TDS related services (Traffic Direction Services) to direct traffic to sites distributing the malware, [as in] they are buying web traffic in order to drive infection rates,” Asrar said. “The latest campaign still appears to be in its early stages; which is why we are only seeing a handful of AV companies detecting this threat.”

Upon infection, the device will display a fake warning from the Royal Canadian Mounted Police (RCMP). The notification states that suspicious files have been found on the device and that the user must pay a fine of $500 via PayPal cash cards in order to unlock the device, Asrar said.

Those who become infected with this Koler variant should reboot their devices into safe mode and uninstall any app making a reference to porn, Asrar said, adding that users should not trust the threat actors to unlock devices if the ransom is paid.

“This variant does contain the permission to write to external storage, but does not encrypt files at the moment, which is a trivial upgrade down the line [if] the operators behind this [wish to incorporate it],” Asrar said.

Previous versions of Koler would display a warning that reflects the location of the device, so users in the U.S. would see a notification claiming to be from the FBI. Asrar said that this most recent variant only displays the RCMP warning.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS