Ransomware on Android scares users with gov't notices, asks for $300

Share this article:
Case study: Network clarity
Android ransomware uses government notices to scare users into coughing up $300.

Ransomware, such as the now-infamous CryptoLocker, has been successfully compromising computers and laptops for years, so it comes as no surprise that the pesky malware is now making its way to mobile devices running the Android operating system.

On Sunday, a researcher going by the name Kafeine posted about a piece of Android ransomware – known as Koler.A – that tailors itself to go after Android users located all over the world, including the U.S., UK, France and Netherlands.

Koler.A does this by delivering ransom screens that reflect the location of the user, so the message shown to Android users in the U.S. is in English, claims to come from the FBI and contains a photograph of President Barack Obama.

The Android malware does not have the dangerous capabilities of its computer counterparts – not yet, at least. Unlike encrypting ransomware that can result in real damage if locked files are lost, Koler.A, in the end, only forces a ransom screen to pop up incessantly.

The ransom screen claims to be from a government agency and states that the user has been caught looking at illegal content, that their device has been blocked and that, in order to gain back control of the device and avoid legal troubles, they must pay a $300 fine using an anonymous payment method, such as MoneyPak.

Fortunately, nothing has been blocked and the malware can even be removed, Filip Chytrý, malware analyst and operator at AVAST Software, told SCMagazine.com in a Wednesday email correspondence.

“I was able to uninstall it over Android's [graphical user interface], but it's pretty annoying because [the ransom screen] is showing up constantly,” Chytrý said. “[Users] should be able to do a factory data reset in [the] worst case. [They] will lose data, but save [the device].”

Users are being infected by Koler.A when redirected to pornographic websites that ask individuals to accept a malicious APK package in order to view more content. The ransomware makes a number of requests, including for full network access and permission to run at startup, according to a Wednesday blog post by AVAST.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.

News briefs: The latest on Sony, Android, Backoff malware and more.

News briefs: The latest on Sony, Android, Backoff ...

This month's news briefs cover a preliminary settlement Sony will bear for the exposure of 77 million customers, and more.

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.