Incident Response, Malware, TDR

Ransomware on Android scares users with gov’t notices, asks for $300

Ransomware, such as the now-infamous CryptoLocker, has been successfully compromising computers and laptops for years, so it comes as no surprise that the pesky malware is now making its way to mobile devices running the Android operating system.

On Sunday, a researcher going by the name Kafeine posted about a piece of Android ransomware – known as Koler.A – that tailors itself to go after Android users located all over the world, including the U.S., UK, France and Netherlands.

Koler.A does this by delivering ransom screens that reflect the location of the user, so the message shown to Android users in the U.S. is in English, claims to come from the FBI and contains a photograph of President Barack Obama.

The Android malware does not have the dangerous capabilities of its computer counterparts – not yet, at least. Unlike encrypting ransomware that can result in real damage if locked files are lost, Koler.A, in the end, only forces a ransom screen to pop up incessantly.

The ransom screen claims to be from a government agency and states that the user has been caught looking at illegal content, that their device has been blocked and that, in order to gain back control of the device and avoid legal troubles, they must pay a $300 fine using an anonymous payment method, such as MoneyPak.

Fortunately, nothing has been blocked and the malware can even be removed, Filip Chytrý, malware analyst and operator at AVAST Software, told SCMagazine.com in a Wednesday email correspondence.

“I was able to uninstall it over Android's [graphical user interface], but it's pretty annoying because [the ransom screen] is showing up constantly,” Chytrý said. “[Users] should be able to do a factory data reset in [the] worst case. [They] will lose data, but save [the device].”

Users are being infected by Koler.A when redirected to pornographic websites that ask individuals to accept a malicious APK package in order to view more content. The ransomware makes a number of requests, including for full network access and permission to run at startup, according to a Wednesday blog post by AVAST.

Using anti-virus and making sure that downloads only come from reputable sources goes a long way to preventing compromise by this ransomware, Kevin Watkins, chief architect with Appthority, told SCMagazine.com in a Wednesday email correspondence.

“We've seen this similar technique and type of ransomware in the desktop space for years now, and it usually comes the same way, a drive-by download through the browser,” Watkins said. “It's no surprise we're seeing it now in the mobile space.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.