Police scareware delivered from Dropbox storage

Oct 22, 2014 07:27 GMT  ·  By

A new variant of the Koler ransomware has been spotted in the wild, replicating automatically by sending SMS messages to the contact list on the infected device.

Most of the infections (75%) so far have been detected in the United States, on devices from multiple carriers.

Koler is designed as a police scareware that locks access to the infected device and asks for a ransom to unlock it. Its chain of distribution has been analyzed in the past by security researchers, who found an intricate infrastructure that allowed the malicious file to automatically initiate campaigns that would spread it to both mobile and computer users.

Payload is hosted on Dropbox, disguises as a photo viewing app

In the latest version discovered by AdaptiveMobile, the malicious file can self-replicate using the short message system. As soon as it becomes active on a mobile device, it starts sending texts to the entire list of contacts, luring them to click on a Bit.ly short link.

Using shortened URLs hides the landing location from the user, who is served the ransomware from a Dropbox account. The malware is disguised as a PhotoViewer app.

The message received is simple, but it has proved its efficiency in other campaigns run through Facebook chat or email. It reads: “someone made a profile named -Luca Pelliciari- and he uploaded some of your photos! is that you? http://bit.ly/xxxxxx.”

An infected device is locked and a message purporting to be from the FBI informs that law enforcement is aware of access of child pornography content from the affected phone. Some charges, taken from the US legislation, are shown to the victim.

However, the victim is offered a chance to remove all accusations by simply paying a fine though MoneyPak prepaid cards.

Paying the ransom is not recommended

“The device appears to be completely locked down with the screen on the phone blocked, so the user won’t be able to close the window, or deactivate the malware through the app manager. The victim is forced to buy a voucher as instructed on the blocking page, and send the voucher code to a malware author,” says Yicheng Zhou from AdaptiveMobile.

Users are advised not to give in to the ransom request because the cybercriminals may not keep their end of the bargain and just take the money without providing the unlock code. Also, refusing to pay would discourage such practices in the future.

Zhou provides a solution to removing the malware, which consists of rebooting the phone into safe mode, an action accomplished on most devices by pressing both volume buttons during a restart.

Dropbox and Bit.ly have been informed of the nefarious account and links, both of which have been disabled at the moment; but the attackers won’t have any trouble creating new ones to start a new campaign.