Security experts are warning that new Android ransomware discovered in the wild could be the start of a major campaign against mobile users by the notorious gang behind the Reveton/IcePol malware.
The ransomware in question, Android.Trojan.Koler.A, is disguised as video player “BaDoink” and will automatically pop-up when the victim browses certain porn sites, according to Bitdefender.
However, unlike the Reveton/IcePol malware it appears to mimic – which installs automatically with no action by the victim – this ransomware requires the user to enable sideloading and manually install it.
Once installed it launches a browser over the home page displaying a BaDoink logo, while it grabs the device IMEI and an Android application package file (APK) calls home to one of the 200+ domains known to be involved in the scheme.
At the same time, a Geo-IP lookup identifies the phone’s location so that the following HTML page is localised.
Victims in the UK are presented with a lock screen featuring Metropolitan Police, Soca and PCeU logos and with an official looking message claiming that the user has broken child porn and copyright laws.
Although the Trojan disables the back button users are able to briefly visit the home screen, having only five seconds to uninstall the APK before the lock screen appears again.
“This is a brand-new approach that appears to be specifically targeted for mass infection,” Bitdefender chief security strategist, Catalin Cosoi, told Infosecurity.
“This approach relies on fear of the authorities to do the heavy lifting as the locking mechanism itself is not that sophisticated. It is a technique that paid off in the Windows-based space, so it was only a matter of time until it was implemented on mobiles.”
As with all ransomware, the intention is to scare the user into paying up, in this case a $300 fine.
“The bad news is that by the time you see the message, the bad guys already have your IMEI on file,” Cosoi explained in a blog post.
“The good news is that Koler.A can be easily removed by either pressing the home screen and navigating to the app, then dragging it on the top of the screen where the uninstall control is located, or by booting the device in safe mode and then uninstalling the app.”
It must be said that the scam is not particularly sophisticated. Although the lock screen message claims that the victim’s files have been stored encrypted, the Trojan actually doesn’t have permission to interfere with the mobile device’s files, according to the firm.
That’s in contrast to the only other piece of Android ransomware spotted to date, Android.Trojan.Fakedefender, according to Cosoi.
“It was far more intrusive because it asked for many more permissions and would also ask the user to manually grant the Trojan Device Administrator access,” he told Infosecurity. “If the user allowed the application to administer the device, the locking mechanism would be permanent and impossible to bypass without a full device wipe.”
However, this is not to say that the ransomware should be brushed off as a pretty basic effort. “Its functionality is very limited, but the APK code is highly obfuscated, either to deter analysis, or to prevent a wannabe cyber-criminal from modifying the binary and using it for his own profit,” Bitdefender wrote.
“The Android version of IcePol might be a test-run for cyber-criminals to see how well this type of scam can be monetized on mobile platform. If this is the case, we should expect much more sophisticated strains of ransomware, possibly capable of encrypting files, to emerge shortly.”
Several members of the gang behind Reveton/IcePol were arrested back in February 2013 as part of a major Europol bust. However, as mentioned at the time, many escaped capture.
“Ransomware gangs work on an affiliate basis most of the time, so the police are only able to dismantle satellite operations rather than cracking down on the entire business,” Cosoi explained.