14 DAY TRIAL // Ransomware that’s designed to scare users into paying a so-called fine to have their devices unlocked doesn’t only target desktop computers. Experts have come across a Trojan dubbed Android.Trojan.Koler.A that’s designed to infect Android devices.
According to Bitdefender, the threat is distributed via adult sites. It’s disguised as BaDoink, an app for a popular adult streaming service.
This piece of ransomware isn’t installed automatically on smartphones. Instead, the victim has to install it himself. Once it’s installed, the threat sends the infected device’s IMEI back to the attackers.
Then, the victim’s location is determined and a typical “Police Trojan” lock screen is displayed. Victims in the United States are presented with a warning message that appears to come from IT security company Mandiant, the FBI, the Department of Defense and the Cyber Crime Center.
Victims in the United Kingdom see a warning that leverages the names of British law enforcement agencies.
Users whose smartphones are infected are informed that their devices have been blocked because they’ve accessed illegal adult content. They’re also told that all their files have been encrypted, and that audio and video recordings have been made. To have the smartphone unlocked, they’re instructed to pay $300 (€215).
Security researcher Kafeine has also analyzed the threat. The website that serves Koler.A is designed to perform various actions depending on the browser and operating system used by the victim. If the site is visited with Internet Explorer, the Reveton ransomware is served via the Angler exploit kit.
If the page is accessed with a different browser by users running Windows, Linux or Mac operating systems, Browlock is pushed. Browlock is the piece of ransomware that locks browsers. Android users who access the site are served the fake BaDoink app which hides Koler.A.
According to Kafeine, the Trojan is designed to target users in a total of 31 countries, including Australia, Belgium, Canada, Germany, Denmark, Spain, Finland, France, Greece, Hungary, Italy, Mexico, the Netherlands, New Zealand, Poland, Portugal, Romania and Slovakia.
Although the back button is disabled and the home button only removes the lock screen for around 5 seconds, it’s not difficult to remove the threat.
It can be done either by starting the device in safe mode and uninstalling the malicious APK, or by quickly uninstalling it during the 5-second window.
Most security companies have ensured that their mobile solutions are capable of detecting and blocking this piece of Android ransomware. Malwarebytes has published a step-by-step guide on how to remove Koler.A.
Update. Representatives of CM Productions, LLC, the company behind BaDoink, have clarified that they have nothing to do with the cybercriminal campaign. Here is the statement they've provided to Softpedia:
"The group behind this exploit is falsely and egregiously using the BaDoink brand and logo, a brand that adult consumers have trusted for 8+ years, to spread this Ransomware.
As you can imagine, we are taking every legal step possible to resolve this situation, and now we're attempting to perform damage control by contacting every blog and/or forum that is reporting on this exploit as it has the potential to deal a devastating blow to consumer trust in our product.
Our company does not create, use or spread malware or viruses, or malicious software of any kind. Our mobile applications are available in the iTunes App Store and GooglePlay market EXCLUSIVELY. They cannot be found anywhere else.
We are doing our best to get the word out to prevent further damage."