Android + PCs At Risk: Koler 'Police' Ransomware

Written by Alex Zaharov-Reutt      28/07/2014 | 21:48 | Category: SECURITY & SUPPORT

Shocking new details of the Koler 'police' mobile ransomware that is still attacking PCs and has infected 6223 Australian Android users has been uncovered by Kaspersky Lab in a new report.

Android + PCs At Risk: Koler
Kaspersky Lab's anti-malware researchers have been busy uncovering a hidden part of the malicious Koler 'police' mobile ransomware, first seen in April 2014, and dubbed by Kaspersky Lab as "Trojan.AndroidOS.Koler.a".

'Police' has been placed in quotes as the Koler ransomware tries different ways to trick users in different countries. 



Click to enlarge

Australian users of infected Android devices are presenting with a customised message that depicts "key Australian authorities, including the AFP; Australian Communications and Media Authority; Australian Crime Commission; and the Royal Australian Corps of Military Police" - and demanding payment. 

Distributed through "at least 48 malicious porn websites used by Koler's operators", the sites scan the devices that are connecting and offering "customised ransomware depending on location and device type - mobile or PC". 

If you end up on the wrong site, and whether you're connecting with an Android device or a Windows PC, you'll be redirected to a host of other malicious sites, controlled by Koler's creators, containing exploits that try to infect your computer with the Koler malware. 

Android users are taken to a download for an app called "animalporn.apk", which is the Koler Ransomware, but it doesn't install automatically - Kaspersky Lab notes that "the user still has to confirm the download and installation of the app", and while Kaspersky Lab doesn't say it, it shows how the end-user can be the weakest link in the security chain. 


Click to enlarge

If you're visiting one of those 48 sites on a Windows PC, and you're using Internet Explorer, you'll be redirected to one of the sites wit the "Angler Exploit Kit", which uses exploit kits that let hackers break into computers via Microsoft Silverlight, Adobe Flash or Java.

This highlights the need to ensure all the programs you use on your PC are regularly checked by you for updates, but even being fully up-to-date cannot protect against a zero-day exploit malware writers have at their disposal, and for which no security patch yet exists.  

Kaspersky Lab said the code it analysed was fully functional, and while that code didn't deliver any payload, "this may change in the near future" - which could see Koler or other types of malware loaded onto affected PCs. 

Australia is third on the list of Koler-affected Android users, with 6,223 Australian visitors to one of the affected sites joined by 13,692 in the UK and 146,650 in the US.
 
Vicente Diaz, Principal Security Researcher at Kaspersky Lab, said: "Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub using a traffic distribution system where users are redirected again."
  
"We believe this infrastructure demonstrates just how well organised and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetizing their campaign income in a truly multi-device scheme," Diaz said.
 
Kaspersky Lab noted that Koler's Android-attacking component was disrupted on the 23rd of July when the malware writers' 'command and control' server started sending 'Uninstall' commands to mobile victims, effectively deleting the malicious application from each device when it next connected to the Internet. 
 
Of note however is that the rest of the malicious components for PC users - including the exploit kit - are still active. 

Kaspersky Lab gives credit to Koler's initial discoverer, a security researcher who goes by the name 'Kaffeine', and says it continues to investigate Koler and is sharing all its findings with Europol and Interpol, alongside "cooperating with law enforcement agencies to explore possibilities for shutting down the infrastructure."

The security company shares four tips to staying secure:
 
- Remember that you will never get official 'ransom' messages from the police, so never pay them;
- Don't install any app you find while browsing;
- Don't visit websites you don't trust;
- Use a reliable antivirus solution.
 
A detailed, 48 page PDF report entitled "Koler - The 'Police' ransomware for Android" and from which the images above were sourced is available at Kaspersky Lab's SecureList site.