Ransomware on Android scares users with gov't notices, asks for $300

Share this article:
Case study: Network clarity
Android ransomware uses government notices to scare users into coughing up $300.

Ransomware, such as the now-infamous CryptoLocker, has been successfully compromising computers and laptops for years, so it comes as no surprise that the pesky malware is now making its way to mobile devices running the Android operating system.

On Sunday, a researcher going by the name Kafeine posted about a piece of Android ransomware – known as Koler.A – that tailors itself to go after Android users located all over the world, including the U.S., UK, France and Netherlands.

Koler.A does this by delivering ransom screens that reflect the location of the user, so the message shown to Android users in the U.S. is in English, claims to come from the FBI and contains a photograph of President Barack Obama.

The Android malware does not have the dangerous capabilities of its computer counterparts – not yet, at least. Unlike encrypting ransomware that can result in real damage if locked files are lost, Koler.A, in the end, only forces a ransom screen to pop up incessantly.

The ransom screen claims to be from a government agency and states that the user has been caught looking at illegal content, that their device has been blocked and that, in order to gain back control of the device and avoid legal troubles, they must pay a $300 fine using an anonymous payment method, such as MoneyPak.

Fortunately, nothing has been blocked and the malware can even be removed, Filip Chytrý, malware analyst and operator at AVAST Software, told SCMagazine.com in a Wednesday email correspondence.

“I was able to uninstall it over Android's [graphical user interface], but it's pretty annoying because [the ransom screen] is showing up constantly,” Chytrý said. “[Users] should be able to do a factory data reset in [the] worst case. [They] will lose data, but save [the device].”

Users are being infected by Koler.A when redirected to pornographic websites that ask individuals to accept a malicious APK package in order to view more content. The ransomware makes a number of requests, including for full network access and permission to run at startup, according to a Wednesday blog post by AVAST.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.