Security Experts:

Connect with us

Hi, what are you looking for?



Kaspersky Analyzes Distribution Network for Koler Mobile Ransomware

Kaspersky Lab has published a new research paper on Koler, the “police” ransomware that has been targeting Android users since April.

Kaspersky Lab has published a new research paper on Koler, the “police” ransomware that has been targeting Android users since April.

According to the report released Monday by the security firm, the mobile component of the campaign has not been functional since July 23, with the command and control (C&C) servers sending “uninstall” commands to infected devices in order to remove the malicious applications. However, Kaspersky is still working with international law enforcement agencies in an effort to completely shut down the campaign, which now targets PC users as well.

The existence of Koler was brought to light in early May by the French security researcher known as Kafeine. The threat is designed to lock the screen of infected Android devices and instruct their owners to pay between $100 and $300 to have them unlocked. The bogus warning messages are made to look like they come from law enforcement agencies from a total of 30 countries.

The mobile ransomware itself is simple. It doesn’t encrypt files, users must manually download and install the malicious application, and the screen locking mechanism works by putting the ransom note on top of other windows and not allowing interaction with it. However, according to Kaspersky, this campaign is highly notable because of the sophisticated distribution network used by cybercriminals.

The distribution infrastructure relies on a network of at least 48 malicious adult websites linked to the Keitaro traffic redirection system that takes victims to various payloads depending on their location and the type of device they’re using – PC or mobile. Researchers believe the cybercrooks are using pornographic websites in their scheme because people visiting such sites are more likely to think that they really have accessed illegal content, as the ransomware messages say.

When Internet users visit one of these websites from a mobile device, they’re redirected to a page that’s set up to serve the malicious Android application. If the victims are from one of the 30 countries targeted by Koler, but not using an Android device or Internet Explorer, they’re redirected to a browser-based lock screen that’s similar to the one served to Android users. There’s no malware infection, just a pop-up window that can be easily closed by pressing the ALT+F4 key combination, Kaspersky said.

The last scenario is the one in which victims visit one of the malicious adult websites from a PC using Internet Explorer. In this case, they are redirected to a website that hosts the Angler exploit kit, which leverages Java, Adobe Flash and Silverlight vulnerabilities to deliver a payload. Researchers say the exploit code is fully functional, but no payload is served for the time being.

Data from the C&C servers shows that over 146,000 of the visitors of these malicious websites are located in the United States, with the largest number of victims recorded in April, when the campaign started. As for the adult websites involved in the distribution network, Kaspersky has determined that they’re not compromised sites, but ones that have been created specifically for such purposes.

“Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub using a traffic distribution system where users are redirected again,” commented Vicente Diaz, principal security researcher at Kaspersky Lab. “We believe this infrastructure demonstrates just how well organized and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetizing their campaign income in a truly multi-device scheme.”

The complete paper, “Koler – The ‘Police’ ransomware for Android,” is available online in PDF format.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.