Cybercriminals extorting money from Android users

Android users are now at risk from Koler ransomware, which is a type of malware that threatens victims with action from legal authorities unless they pay a steep fine.

Ransomware is a particularly frustrating type of malware. Those caught by it seldom escape without losing valuable data or money -- or worse, both. Ransomware attempts to extort money from victims and punishes in one of two ways:

  • The victim is locked out of the device, but the data is intact (not encrypted).
  • The victim has access to everything on the device, but the data is unusable (encrypted by the ransomware).

It was only a matter of time before bad guys determined it was worth their effort to adapt ransomware for devices running Android firmware. That might be because Gartner predicts the number of Android phones sold will approach 1 billion this year.

How Android ransomware works

As with PC (later OS versions) ransomware, Android ransomware requires social engineering the victim to get the malware loaded on the computing device. Android ransomware has the additional complication of requiring the user to grant certain permissions to the malicious app with embedded ransomware.

Digital extortionists use an effective and time-honored scheme to trick victims into installing Koler, the first active and successful Android ransomware. The scheme currently preys on people who use their Android phone or tablet to visit illicit websites for the sake of viewing illegal pornography, but as with all malware, it could easily spread to other sites.

The first step in the scheme is to build a malicious duplicate of the real video download website. Next step is rerouting visitors from the real website to the malicious duplicate. If that works, the visitor has reached the point of no return. The soon-to-be victim will be asked to download a special viewer required by the video. Once the viewer is installed and ready to go, the victim opens the video expecting to see something else. But all that shows up is the following warning:

Image: Ars Technica

As malware goes, Koler is interesting in that the ransomware checks the mobile device's country and language settings, altering the above message to match. In the UK, for instance, an image of the Queen of England is shown to potential victims. But as with other ransomware, there are some telltale signs that this is not the real deal. For example, the FBI is not part of the Department of Defense, and having President Obama pointing a finger seems a bit far-fetched.

Whether the victim understands the warning is fake or not is immaterial. The warning window blocks all attempts by the owner to use the mobile device for anything, including deleting the ransomware app via the Settings screen. Rebooting does not help, as Koler activates early in the start-up sequence.

The next screen the victim sees is the one below, instructing how the victim can pay $300 to remove the offending pornography from the device and return control to the user:

Image: Sophos Ltd.

There is no banned content, and paying the ransom is not recommended. Trusting those who are trying to extort money seems like a bad idea. There are other options. One option is fast and simple, return the Android device back to factory condition using the reset option (steps may differ depending on phone manufacturer). The drawback to resetting the device is that all personal information and installed applications will be lost.

Since Koler locks the mobile device, and does not encrypt the stored data, another option presents itself. Like Windows, Android has a version of safe mode.

Using Android safe mode

Using safe mode is not a 100% guarantee. Paul Ducklin of Sophos provided an excellent "How to" post showing three different options for accessing safe mode. However, Ducklin also mentioned that manufacturers have fractured Google's version of Android into their own versions of firmware, making it all but impossible to guarantee that using safe mode will work. That said, Ducklin offered the following assurances:

  • Employing safe mode does not require any special technical skills.
  • Safe mode doesn't require special software to be installed prior to the problem.
  • If safe mode doesn't work, you can go back to where you were and be no worse off than you were before.

"In theory, if your phone isn't rooted," Ducklin said, "then no third-party apps you have installed should be able to trick the system into loading them in safe mode. So booting into safe mode means you should always be able to get into the list of downloaded apps, malware or not, and remove unwanted ones."

Some proactive advice

Koler has been around for a while, meaning all of the mobile antimalware app developers have it on their radar, their apps are detecting it, and preventing Koler from installing (including the free versions). It might be worth the few minutes to install an antimalware app, forget about it, and let it work in the background.

Google along with other reputable Android market places are aware of Koler and preventing developers from uploading Koler-embedded apps embedded, which is why it is important to avoid apps that are advertised in ads or pop-up commercials.

Finally, Android does not make it easy to back up personal data on mobile devices, so consider using one of the online file-sharing services similar to OneDrive or DropBox for their convenience and ability to help recover or restore valuable files.

Spreading malware

Regardless of what we think about Koler using a pornography connection, the scam is working. Otherwise, the bad guys would not be using it. That said, the bad guys, not ones to miss an opportunity, will adapt Koler and similar Android ransomware to other subject matter that will entice enough users to make it worth their while.