NEWS FROM THE LAB - Thursday, May 15, 2014

"Police Ransomware" Expands To Android Ecosystem Posted by FSLabs @ 16:23 GMT

Crimeware has steadily transferred Windows-based technology to Android. We've seen phishing, fake-antivirus scams, banking trojan components, and now… ransomware.

Yep. "Police ransomware" on Android. Our name for it is, Koler.

main screen

The crimeware ecosystem has long been aware of Android systems it routinely comes into contact with — it's not really much of a surprise to see ransomware attempt to make the jump.

Here's how it works:

Compromise occurs when the user visits a booby trapped (pornographic) website with his Android device. The malware then pretends to be video player and requests installation. This is dependent upon the "enable unknown sources" setting being configured.

When the installation is completed, Koler sends the phone's identification information to its remote server. After this, the server returns a webpage declaring that the user has visited an illegal porn site and the phone is locked. To unlock, the user is told to pay a fine (ransom).

Even though Koler claims to encrypt files, in reality, nothing is encrypted.

These domains are hardcoded to be Koler's remote servers:

  •  mobile-policeblock.com
  •  police-guard-mobile.com
  •  police-mobile-stop.com
  •  police-scan-mobile.com
  •  police-secure-mobile.com
  •  police-strong-mobile.com

At the moment, Koler's servers are offline. Google Cache finds (NSFW) content from only one server but the malware has been removed. The servers are/were hosted in US. Whois lists contact information, such as phone numbers, from Denmark and Russia.

At present, country-specific versions of localization have been seen for more than 30 countries. The content has been ported from Windows versions of "police ransomware" and is formatted for mobile browsers.

How to remove Koler:

The ransomware prevents disables the back button, but the home screen button is active. The user has only a few seconds in which to get to the phone's settings to remove the malware, or to restore factory settings.

Another option is to restart the device to the service menu and remove Koler from there.

Koler also prevents access to the device via the adb.exe. You are able to start shell but the viewing of files is not allowed.

More information can be from our description: Trojan:Android/Koler.

Analysis by — Mikko Hyykoski