Android "police warning" ransomware - how to avoid it, and what to do if you get caught

Filed Under: Android, Featured, Google, Malware, Mobile, Ransomware

Special thanks to Ferenc László Nagy of SophosLabs Hungary and Savio Lau of SophosLabs Canada for providing research for this article.

The rise of ransomware

Ransomware has become a hot topic in recent years.

One sort, such as the Reveton family, leaves your data intact but locks you out of your computer, and demands a fee to let you back in.

The other main sort of ransomware, such as CryptoLocker, leaves your computer running fine but scrambles your data and demands a fee for the decryption key to get it back.

The fee is almost always $300 or thereabouts - the same sort of money that fake support callers charge - which seems to be the optimum price point: not so much that no-one will pay, and just within the reach of users who are desperate to get back to work quickly.

Well, in recent weeks, pay-to-unlock ransomware has made the leap to the Android ecosystem, and the recovery price is once again $300.

Introducing "Koler"

Perhaps the most talked-about ransomware for Android right now is known as "Koler", a threat that follows a very similar pattern to the Reveton malware mentioned above.

android-police-0170In fact, it looks as though the Reveton gang are the crooks behind Koler, following a criminal formula that has worked for them on Windows computers.

The malware is what's known as "policeware" or a "police locker," and it takes over your Android with a warning that claims you are under surveillance by federal agents for alleged criminal activity.

As soon as the malware pops up, it downloads and displays a warning screen saying that the police are accusing you of viewing illegal pornography.

The malware demands a ransom of $300, paid via MoneyPak, to unlock your phone.

Fortunately, Koler doesn't land on your Android entirely by surprise.

According to reports, the crooks are using the time-honored trick of telling you that you need to install a special "video player" app, and then offering it for download.

Note that because Koler has not made it into the Google Play Store, you need to have "Allow installation of apps from unknown sources" enabled in your Android security settings to be at risk.

As with Windows-based police warning ransomware, the malware can adapt the content it displays depending on your country or language settings.

Launching the malware in America, we were told that the warning came from "U.S.A. Cyber Crime Center" and "FBI Department of Defense" (which doesn't make sense because the FBI is not part of the DoD):

The screen shows some fake government seals, and a mashup of ripped-off images, including one of President Obama pointing an accusatory finger:

If that's not enough to scare you, the message informs you, in rather obviously illiterate English, that the government has tapped your phone for audio and video:

ATTENTION! Your phone has been blocked up for safety reasons listed below. All the actions performed on this phone are fixed. All your files are encrypted. CONDUCTED AUDIO AND VIDEO.

If you scroll down in the warning screen, you'll find a demand for $300 and instructions on how to pay the crooks to unlock your device:

Note. Sophos products, including Sophos Free Anti-Virus and Security for Android, detect this malware as Andr/Koler-A.

Getting rid of Koler

The good news is that Koler doesn't scramble any of your data or exfiltrate audio and video as it claims; it merely locks your phone with a pop-over browser window that quickly reappears if you try to get clear of it.

The bad news is that the continually reappearing pop-over window makes it as good as impossible to get into the Settings menu to remove the malware.

Even rebooting won't help as the malware kicks back in early in the process of restarting.

A factory reset will get rid of it, but that also removes all your other installed apps and stored data.

Our recommendation is to use Android "Safe Mode", as detailed in our companion article explaining what you need to do.

Stay protected from police warning ransomware

Here are five easy tips to help you deal with Android malware of all sorts, including "police lockers":

  • Install a reputable anti-virus program to vet all new apps automatically before they run for the first time.
  • Be cautious of apps you are offered in ads and pop-ups.
  • Stick to Android's default setting of allowing installs from the Google Play store only.
  • Keep off-device backups of your important data.
  • Read our article about using "Safe Mode", just in case you ever need it in a hurry.

Free download (no registration, no time-limit)...

, , , , , , , , ,

You might like

8 Responses to Android "police warning" ransomware - how to avoid it, and what to do if you get caught

  1. Sayville Library · 470 days ago

    "... the government has tapped your phone for audio and video:" Really? along with Google watching everything you do on your Android, or any other Internet connected, device. I'm sure the NSA will stop sucking up all Internet data, right? Congress will make them stop, right?

  2. A video showing the virus in action would be appreciated.

    I encountered a similar tactic but with a website. I can't exit the site as it kept launching pop up every time I try to exit it. I had to manually terminate the browser process. With Android, closing the entire browser also works.

    • Paul Ducklin · 470 days ago

      We thought of making a video, but what you get is what you see above: a full screen browser window that covers everything else and reappears promptly if ever you manage to shift away from it. Not terribly exciting viewing :-)

      "Oh look, a popup window covered the screen almost immediately...and, look, it's still there 4 hours later!"

      The Koler malware controls the pop-over browser, so "terminating the browser process" isn't a solution in this case. (The reason it uses a browser, not just a pop-up image in its own window, is that it means the malware doesn't have to carry around images with it, can easily adapt to location, and doesn't have to have any special code to acquire and upload the MoneyPak voucher code...that comes "for free" with the browser.)

      • jake filomena · 243 days ago

        I have the galaxy s5 and just had it happen. once the pop is removed after I do all the safe mode stuff... am I home free?

  3. The feds hate competition.......when and if you get "caught" send the sight info to the FBI........they say they will add the info to there investigation?'d think it would be pretty ez to get these guys.....

  4. Vince Asta · 469 days ago

    Mr. Zorabedian, I write a short corporate security newsletter for my company to educate our users on safe practices. I would like to cite your 'Stay Protected...' section with your permission. Can you please advise as to how I can properly request permission to do so?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Zorabedian is a blogger, copywriter and editor at Sophos. He has a background in journalism, writing about technology, business, politics and culture. He lives and works in the Boston area.