Sophos Cloud Optix
Special thanks to Ferenc László Nagy of SophosLabs Hungary and Savio Lau of SophosLabs Canada for providing research for this article.
The rise of ransomware
Ransomware has become a hot topic in recent years.
One sort, such as the Reveton family, leaves your data intact but locks you out of your computer, and demands a fee to let you back in.
The other main sort of ransomware, such as CryptoLocker, leaves your computer running fine but scrambles your data and demands a fee for the decryption key to get it back.
The fee is almost always $300 or thereabouts – the same sort of money that fake support callers charge – which seems to be the optimum price point: not so much that no-one will pay, and just within the reach of users who are desperate to get back to work quickly.
Well, in recent weeks, pay-to-unlock ransomware has made the leap to the Android ecosystem, and the recovery price is once again $300.
Introducing “Koler”
Perhaps the most talked-about ransomware for Android right now is known as “Koler”, a threat that follows a very similar pattern to the Reveton malware mentioned above.
In fact, it looks as though the Reveton gang are the crooks behind Koler, following a criminal formula that has worked for them on Windows computers.
The malware is what’s known as “policeware” or a “police locker,” and it takes over your Android with a warning that claims you are under surveillance by federal agents for alleged criminal activity.
As soon as the malware pops up, it downloads and displays a warning screen saying that the police are accusing you of viewing illegal pornography.
The malware demands a ransom of $300, paid via MoneyPak, to unlock your phone.
Fortunately, Koler doesn’t land on your Android entirely by surprise.
According to reports, the crooks are using the time-honored trick of telling you that you need to install a special “video player” app, and then offering it for download.
Note that because Koler has not made it into the Google Play Store, you need to have “Allow installation of apps from unknown sources” enabled in your Android security settings to be at risk.
As with Windows-based police warning ransomware, the malware can adapt the content it displays depending on your country or language settings.
Launching the malware in America, we were told that the warning came from “U.S.A. Cyber Crime Center” and “FBI Department of Defense” (which doesn’t make sense because the FBI is not part of the DoD):
The screen shows some fake government seals, and a mashup of ripped-off images, including one of President Obama pointing an accusatory finger:
If that’s not enough to scare you, the message informs you, in rather obviously illiterate English, that the government has tapped your phone for audio and video:
ATTENTION! Your phone has been blocked up for safety reasons listed below. All the actions performed on this phone are fixed. All your files are encrypted. CONDUCTED AUDIO AND VIDEO.
If you scroll down in the warning screen, you’ll find a demand for $300 and instructions on how to pay the crooks to unlock your device:
Note. Sophos products, including Sophos Free Anti-Virus and Security for Android, detect this malware as Andr/Koler-A.
Getting rid of Koler
The good news is that Koler doesn’t scramble any of your data or exfiltrate audio and video as it claims; it merely locks your phone with a pop-over browser window that quickly reappears if you try to get clear of it.
The bad news is that the continually reappearing pop-over window makes it as good as impossible to get into the Settings menu to remove the malware.
Even rebooting won’t help as the malware kicks back in early in the process of restarting.
A factory reset will get rid of it, but that also removes all your other installed apps and stored data.
Our recommendation is to use Android “Safe Mode”, as detailed in our companion article explaining what you need to do.
Stay protected from police warning ransomware
Here are five easy tips to help you deal with Android malware of all sorts, including “police lockers”:
- Install a reputable anti-virus program to vet all new apps automatically before they run for the first time.
- Be cautious of apps you are offered in ads and pop-ups.
- Stick to Android’s default setting of allowing installs from the Google Play store only.
- Keep off-device backups of your important data.
- Read our article about using “Safe Mode”, just in case you ever need it in a hurry.
“… the government has tapped your phone for audio and video:” Really? along with Google watching everything you do on your Android, or any other Internet connected, device. I’m sure the NSA will stop sucking up all Internet data, right? Congress will make them stop, right?
Yeah, right!
A video showing the virus in action would be appreciated.
I encountered a similar tactic but with a website. I can’t exit the site as it kept launching pop up every time I try to exit it. I had to manually terminate the browser process. With Android, closing the entire browser also works.
We thought of making a video, but what you get is what you see above: a full screen browser window that covers everything else and reappears promptly if ever you manage to shift away from it. Not terribly exciting viewing 🙂
“Oh look, a popup window covered the screen almost immediately…and, look, it’s still there 4 hours later!”
The Koler malware controls the pop-over browser, so “terminating the browser process” isn’t a solution in this case. (The reason it uses a browser, not just a pop-up image in its own window, is that it means the malware doesn’t have to carry around images with it, can easily adapt to location, and doesn’t have to have any special code to acquire and upload the MoneyPak voucher code…that comes “for free” with the browser.)
I have the galaxy s5 and just had it happen. once the pop is removed after I do all the safe mode stuff… am I home free?
The feds hate competition…….when and if you get “caught” send the sight info to the FBI……..they say they will add the info to there investigation?…..you’d think it would be pretty ez to get these guys…..
Mr. Zorabedian, I write a short corporate security newsletter for my company to educate our users on safe practices. I would like to cite your ‘Stay Protected…’ section with your permission. Can you please advise as to how I can properly request permission to do so?
Hi, I’m not John but I can answer your question, please email tips@sophos.com and our editor will contact you directly.
My uncle encountered a very similar virus/ malware on his Samsung Galaxy tab 10.1. He is in the UK, so the website that waste plastered on the screen was ‘Cheshire Police’. It was very simple to remove.Reboot into Safe Mode and then look into the app drawer. The developer of this ransomware cleverly hid the app as “Update” with the Android logo, so I didn’t catch it the first time around. Simply remove the app and reboot. The ransomware is gone.
Hi there!
Thank you. I’m using now the safe mode and at least I have a phone.
The only thing is I couldn’t find the app to remove it. can it have any other names or can it be hidden? I’ve got a samsung s3.