Mobile malware which locks Android users out of their device and demands a ransom payment has been detected.
According to research by Bitdefender , the Reveton or IcePol ransomware displays a bogus message claiming to be from the police and that you have been monitored accessing child abuse websites. The malware, identified as Android.Trojan.Koler.A is delivered automatically while the victim is browsing malicious pornographic sites.
“As the user browses, an application that claims to be a video player used for premium access to pornography downloads automatically,” it said. “Unlike the Windows-based Reveton that is delivered via zero-interaction exploits, Koler.A still requires the user to enable sideloading and manually install the application.”
As well as locking down the device, it also disables the back button and after returning to the home screen, the user has five seconds to uninstall the APK before a timer brings the malicious application back to the foreground. This goes on every five seconds until you pay the ransom.
Bitdefender said that even though the message claims the stored data is encrypted, the application does not have the permissions it needs to touch files.
Malwarebytes researcher Armando Orozco, said: “The good news is you don’t have to pay the ransom to remove. However, at times there are race conditions where Koler’s page is up and has control of the screen or you might not have a security tool installed. You can try the traditional method of going to the app tray and dragging the icon to the Uninstall/Remove area, but you have a limited amount of time before Koler resurfaces.”
Malwarebytes security researcher Christopher Boyd, said: “Ransomware is particularly effective at generating cash for criminals and scammers because it mixes social engineering with fear highly effectively. It has been seen on Android since at least 2013, however a new wave is always worth noting as it is particularly effective at generating cash for scammers because it mixes social engineering with fear highly effectively.
“Adding in geo-location only serves to reinforce this and therefore it could become a real money-spinner, which is why raising consumer awareness is important. As Android users are so abundant, it is always the most likely candidate for any scam looking to migrate to mobile.”
Bitdefender said that the malware controller will have your IMEI on file by the time you see the message, but that Koler.A can be easily removed by either pressing the home screen and navigating to the app, then dragging it on the top of the screen where the uninstall control is located, or by booting the device in safe mode and then uninstalling the app.
“Its functionality is very limited, but the APK code is highly obfuscated, either to deter analysis, or to prevent a wannabe cyber criminal from modifying the binary and using it for their own profit,” it said.
“The Android version of Icepol might be a test-run for cyber-criminals to see how well this type of scam can be monetised on mobile platform. If this is the case, we should expect much more sophisticated strains of ransomware, possibly capable of encrypting files, to emerge shortly.”
Michael Sutton, director of security research at Zscaler, told IT Security Guru that ransomware is growing in popularity, although Koler is really ‘fake ransomware’.
He said: “Unlike the more popular Crytolocker, whi
ch impacts PCs and does actually encrypt private files until a ransom is paid, Koler is simply purporting to have encrypted files, but would not have adequate permissions to do so. The victim can simply uninstall the program.
“Koler is also a pure social engineering attack, simply tricking the user into installing the application. In short, it’s not a particularly sophisticated piece of malware. It’s new and I do not expect it to become a major threat, given the lack of sophistication but it may also be a first step to experiment in the Android space, leveraging a technique that has been rather profitable in the PC world.”
