Koler Android malware demands $300 ransom from its victims

Ransomware has posed a serious threat to desktop computer users for some time.

Notorious examples include CryptoLocker which encrypts victims’ files to such an extent that your chances of recovering your data if you don’t have a backup are zero, unless you are prepared to pay the criminals’ Bitcoin ransom.

Another commonly-seen example of ransomware is Reveton (also known as IcePol), which displays a bogus message purporting to be from your country’s police service – claiming that you have been monitored accessing child abuse websites, and demanding that you must pay a fine to escape prosecution.

And now, ransomware is making its presence felt on Android smartphones.

Security researchers have discovered malware for Android devices which mimics the techniques of Reveton, appearing to lock your phone with a message claiming to be from a law enforcement agency and ordering you to pay a fine or face the consequences.

The Android malware, called Android.Trojan. Koler.A by Bitdefender products, is a little different from some of the examples seen for Windows, however.

Koler does not presently exploit any vulnerabilities to install itself silently onto your Android device via a drive-by download. Instead, it asks you to help it grab a tight hold of your device, by popping up pretending to be a driver to help you watch x-rated adult videos.

So, in order to have your device infected, you have to have allowed apps from non-approved sources (ie. not the official Google Play store), and to granted the app permission to install itself on your device.

However, because the message could easily pop-up while you are browsing a hardcore porn site and because you (presumably, otherwise why are you there?) *want* to watch something a bit naughty… maybe you *would* allow the program to install itself on your smartphone?

That’s social engineering at work once again. It’s often the case that the problem is not the technology, but the fleshy human sitting in front of the keyboard making poor decisions.

Before you know it, the IMEI number of your smartphone has been sent to the criminals, and a Geo-IP lookup has determined which part of the world you are based in.

With that information, the Koler Android malware displays a message customised for your particular country.

So, for instance, Americans will see a message claiming to come from the FBI Department of Defense / USA Cyber Crime Center:


Your phone has been blocked for safety reasons listed below.

All the actions performed on this phone are fixed.
All your files are encrypted.

You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape etc). You have violated World Declaration on non-proliferation of child pornography. You are accused of committing the crime envisaged by Article 161 of United States of America criminal law.

And British victims will see a similar message but with imagery suggesting it has come from the Metropolitan Police:

For examples of other messages which can be displayed, check out the detailed description of the threat on the Bitdefender Labs blog.

Bitdefender senior e-threat analyst Bogdan Botezatu explains that although the message attempts to scare users into believing that their files have been encrypted in order to get victims to pay the $300 ransom, the truth is that the malicious app does not have the correct permission to meddle with the device’s files.

Botezatu says that the malware can be uninstalled relatively easily, by dragging the app on the home screen to the top of the screen where the uninstall control is located, or by booting infected devices in Safe Mode whereupon the malware can be uninstalled.

Admittedly, Koler is hardly the most sophisticated example of ransomware ever seen.

It doesn’t, for instance, exploit any zero-day vulnerabilities in order to ease its installation – unlike the Icepol Police Ransomware that was seen exploiting a Java zero-day vulnerability last year.

But Koler is only the second example seen for the Android platform, and as devices running the operating system become ever more popular we can only expect criminals to develop more serious attacks, designed to outwit the unwary.

Once again, we have to call upon Android users to take greater care over their security. If you aren’t already running an anti-virus on your Android device, you are playing a very dangerous game.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.