Ransomware on Android scares users with gov't notices, asks for $300

Share this article:
Case study: Network clarity
Android ransomware uses government notices to scare users into coughing up $300.

Ransomware, such as the now-infamous CryptoLocker, has been successfully compromising computers and laptops for years, so it comes as no surprise that the pesky malware is now making its way to mobile devices running the Android operating system.

On Sunday, a researcher going by the name Kafeine posted about a piece of Android ransomware – known as Koler.A – that tailors itself to go after Android users located all over the world, including the U.S., UK, France and Netherlands.

Koler.A does this by delivering ransom screens that reflect the location of the user, so the message shown to Android users in the U.S. is in English, claims to come from the FBI and contains a photograph of President Barack Obama.

The Android malware does not have the dangerous capabilities of its computer counterparts – not yet, at least. Unlike encrypting ransomware that can result in real damage if locked files are lost, Koler.A, in the end, only forces a ransom screen to pop up incessantly.

The ransom screen claims to be from a government agency and states that the user has been caught looking at illegal content, that their device has been blocked and that, in order to gain back control of the device and avoid legal troubles, they must pay a $300 fine using an anonymous payment method, such as MoneyPak.

Fortunately, nothing has been blocked and the malware can even be removed, Filip Chytrý, malware analyst and operator at AVAST Software, told SCMagazine.com in a Wednesday email correspondence.

“I was able to uninstall it over Android's [graphical user interface], but it's pretty annoying because [the ransom screen] is showing up constantly,” Chytrý said. “[Users] should be able to do a factory data reset in [the] worst case. [They] will lose data, but save [the device].”

Users are being infected by Koler.A when redirected to pornographic websites that ask individuals to accept a malicious APK package in order to view more content. The ransomware makes a number of requests, including for full network access and permission to run at startup, according to a Wednesday blog post by AVAST.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.