Special thanks to Ferenc László Nagy of SophosLabs Hungary and Savio Lau of SophosLabs Canada for providing research for this article.
The rise of ransomware
Ransomware has become a hot topic in recent years.
One sort, such as the Reveton family, leaves your data intact but locks you out of your computer, and demands a fee to let you back in.
The other main sort of ransomware, such as CryptoLocker, leaves your computer running fine but scrambles your data and demands a fee for the decryption key to get it back.
The fee is almost always $300 or thereabouts – the same sort of money that fake support callers charge – which seems to be the optimum price point: not so much that no-one will pay, and just within the reach of users who are desperate to get back to work quickly.
Well, in recent weeks, pay-to-unlock ransomware has made the leap to the Android ecosystem, and the recovery price is once again $300.
Perhaps the most talked-about ransomware for Android right now is known as “Koler”, a threat that follows a very similar pattern to the Reveton malware mentioned above.
In fact, it looks as though the Reveton gang are the crooks behind Koler, following a criminal formula that has worked for them on Windows computers.
The malware is what’s known as “policeware” or a “police locker,” and it takes over your Android with a warning that claims you are under surveillance by federal agents for alleged criminal activity.
As soon as the malware pops up, it downloads and displays a warning screen saying that the police are accusing you of viewing illegal pornography.
The malware demands a ransom of $300, paid via MoneyPak, to unlock your phone.
Fortunately, Koler doesn’t land on your Android entirely by surprise.
According to reports, the crooks are using the time-honored trick of telling you that you need to install a special “video player” app, and then offering it for download.
Note that because Koler has not made it into the Google Play Store, you need to have “Allow installation of apps from unknown sources” enabled in your Android security settings to be at risk.
As with Windows-based police warning ransomware, the malware can adapt the content it displays depending on your country or language settings.
Launching the malware in America, we were told that the warning came from “U.S.A. Cyber Crime Center” and “FBI Department of Defense” (which doesn’t make sense because the FBI is not part of the DoD):
The screen shows some fake government seals, and a mashup of ripped-off images, including one of President Obama pointing an accusatory finger:
If that’s not enough to scare you, the message informs you, in rather obviously illiterate English, that the government has tapped your phone for audio and video:
ATTENTION! Your phone has been blocked up for safety reasons listed below. All the actions performed on this phone are fixed. All your files are encrypted. CONDUCTED AUDIO AND VIDEO.
If you scroll down in the warning screen, you’ll find a demand for $300 and instructions on how to pay the crooks to unlock your device:
Note. Sophos products, including Sophos Free Anti-Virus and Security for Android, detect this malware as Andr/Koler-A.
Getting rid of Koler
The good news is that Koler doesn’t scramble any of your data or exfiltrate audio and video as it claims; it merely locks your phone with a pop-over browser window that quickly reappears if you try to get clear of it.
The bad news is that the continually reappearing pop-over window makes it as good as impossible to get into the Settings menu to remove the malware.
Even rebooting won’t help as the malware kicks back in early in the process of restarting.
A factory reset will get rid of it, but that also removes all your other installed apps and stored data.
Our recommendation is to use Android “Safe Mode”, as detailed in our companion article explaining what you need to do.
Stay protected from police warning ransomware
Here are five easy tips to help you deal with Android malware of all sorts, including “police lockers”:
- Install a reputable anti-virus program to vet all new apps automatically before they run for the first time.
- Be cautious of apps you are offered in ads and pop-ups.
- Stick to Android’s default setting of allowing installs from the Google Play store only.
- Keep off-device backups of your important data.
- Read our article about using “Safe Mode”, just in case you ever need it in a hurry.