Oh aye, a mobe grumble-flick player? No – it's a 'droid ransomware nasty


Userlevel 7

Yet another trojan targets pr0n-viewers with false data scrambling threat

By John Leyden, 9 May 2014  Ransomware scumbags have widened their net with a new software nasty that infects Android smartphones and tablets.
The Koler-A ransomware trojan is delivered automatically to peeps browsing malicious pornographic sites; it poses as a media player offering access to premium content.
 Koler-A requires the user to enable side-loading and manually install the application, so it could be argued the malware mostly preys on the foolish using basic social-engineering trickery.
 
It does not use software vulnerabilities to install itself automatically, or other more advanced techniques.
Once installed, the trojan launches a browser on top of the home screen and briefly displays a logo of the player it impersonates. Meanwhile, in the background, an Android application package file (APK) calls home to one of the 200+ domains known to be involved in the scam and transmits the compromised device’s IMEI in the process, as well as a key that appears to be identical for all infections.
 
 
 
Full Article
 
For all it's much derided position in the world of the phone OS I am glad that I am using WIndows Phone and therefore missing out on the likes of the above.

2 replies

Userlevel 7
Badge +54
Posted by FSLabs @ 16:23 GMT
 
Crimeware has steadily transferred Windows-based technology to Android. We've seen phishing, fake-antivirus scams, banking trojan components, and now… ransomware.

Yep. "Police ransomware" on Android. Our name for it is, Koler.
 
The crimeware ecosystem has long been aware of Android systems it routinely comes into contact with — it's not really much of a surprise to see ransomware attempt to make the jump.

Here's how it works:

Compromise occurs when the user visits a booby trapped (pornographic) website with his Android device. The malware then pretends to be video player and requests installation. This is dependent upon the "enable unknown sources" setting being configured.

When the installation is completed, Koler sends the phone's identification information to its remote server. After this, the server returns a webpage declaring that the user has visited an illegal porn site and the phone is locked. To unlock, the user is told to pay a fine (ransom).

Even though Koler claims to encrypt files, in reality, nothing is encrypted.
 
Full Article
Userlevel 7
Badge +56
Article from the Irish Times with some good Grayson quotes:
 
Grayson Milbourne, the director of security intelligence at Webroot, agrees it’s likely the cybercriminals responsible are “flexing their muscles” before conducting more widespread ransomware attacks.
Milbourne says, “In this specific case it’s the social engineering element of pornography telling users you need this codec to play this video, and this is how they’re suggesting to install the [malicious] app” responsible for Koler.A.
 
Full article.

Reply