Ransomware on Android scares users with gov't notices, asks for $300

Share this article:
Case study: Network clarity
Android ransomware uses government notices to scare users into coughing up $300.

Ransomware, such as the now-infamous CryptoLocker, has been successfully compromising computers and laptops for years, so it comes as no surprise that the pesky malware is now making its way to mobile devices running the Android operating system.

On Sunday, a researcher going by the name Kafeine posted about a piece of Android ransomware – known as Koler.A – that tailors itself to go after Android users located all over the world, including the U.S., UK, France and Netherlands.

Koler.A does this by delivering ransom screens that reflect the location of the user, so the message shown to Android users in the U.S. is in English, claims to come from the FBI and contains a photograph of President Barack Obama.

The Android malware does not have the dangerous capabilities of its computer counterparts – not yet, at least. Unlike encrypting ransomware that can result in real damage if locked files are lost, Koler.A, in the end, only forces a ransom screen to pop up incessantly.

The ransom screen claims to be from a government agency and states that the user has been caught looking at illegal content, that their device has been blocked and that, in order to gain back control of the device and avoid legal troubles, they must pay a $300 fine using an anonymous payment method, such as MoneyPak.

Fortunately, nothing has been blocked and the malware can even be removed, Filip Chytrý, malware analyst and operator at AVAST Software, told SCMagazine.com in a Wednesday email correspondence.

“I was able to uninstall it over Android's [graphical user interface], but it's pretty annoying because [the ransom screen] is showing up constantly,” Chytrý said. “[Users] should be able to do a factory data reset in [the] worst case. [They] will lose data, but save [the device].”

Users are being infected by Koler.A when redirected to pornographic websites that ask individuals to accept a malicious APK package in order to view more content. The ransomware makes a number of requests, including for full network access and permission to run at startup, according to a Wednesday blog post by AVAST.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.

EU conducts massive cyberattack simulation on critical networks

Conducted by the European Union Agency for Network and Information Security, the simulation launched 2,000 attacks on the networks of various critical infrastructure organizations.