There has been a lot of discussion as of late on the subject of mobile malware; whether it is an issue that has been blown out of proportion or grossly underestimated is debatable. Regardless of the stance, there is one mobile threat family that serves as the canary in the coal mine when it comes to gauging the threat posed by mobile malware: Android Koler.
Android Koler (aka “FBI phone malware”) was one of the first mobile ransomware families in existence as well one of the few families that targeted victims in the US. It is also one of the few malware families that is constantly being updated to avoid detection and keep infection rates high. It’s ironic that the Verizon 2015 Data Breach Investigations Report (DBIR) dismissed the threat of mobile malware, while around the time of the publication of the report multiple complaints from Verizon customers infected by Android Koler were being posted to the their support forums asking for help, as the default security software from Verizon apparently failed to detect and protect the end user.
In the latest Android Koler distribution campaign, Appthority has identified a new spin being adopted to replace the traditional FBI warning with a Canada Royal Canadian Mounted Police (RCMP) warning. In other words, Android Koler has been localized to the Canadian market.
For those not familiar with Android Koler, let’s go over the scam. As Google Play has become strict about publication of apps related to adult content, pornographic apps have to be downloaded from third party app distribution sites. This provides an ideal cover for the bad actors behind the Koler family to distribute malware.
Once installed the malware falsely notifies the victim that their device has been found to contain illegal content that is in violation of legal codes, resulting in a fine being levied against the device owner. At this point, the device owner would be shown a warning screen, claiming to be from the FBI (now from the Royal Canadian Mounted Police). To ensure that devices’ owners don’t panic and attempt to dump the device or completely disconnect from the network, the notification from Android Koler even contains text notifying that the user that information from the device has already been uploaded and any attempts to dispose of the device would be futile. The user’s device is locked and the user is then asked to pay a fine (ransom) in order to unlock their device.
Appthority has been monitoring the latest campaign for the past few weeks and, in that period, we have come across multiple sites being used as distribution points. If previous campaigns are any indication for the potential impact of the new attack campaign, this new spin could result in severe footprints. For reference, previous Koler attack campaigns drove 300k+ users to sites that contained the malware. We expect that the impact from the latest campaign to be greater due to the addition of new geographical locations, particularly in Canada.
After installation, the malware locks the device, limiting interactions to just the threat notification/messaging as well the ability to pay the ransom being asked. Appthority is currently detecting this threat as malware and has reached out to legal authorities for further assistance to take down the relevant domains/serves associated with this threat.