Kaspersky Lab has published a new research paper on Koler, the “police” ransomware that has been targeting Android users since April.
According to the report released Monday by the security firm, the mobile component of the campaign has not been functional since July 23, with the command and control (C&C) servers sending “uninstall” commands to infected devices in order to remove the malicious applications. However, Kaspersky is still working with international law enforcement agencies in an effort to completely shut down the campaign, which now targets PC users as well.
The existence of Koler was brought to light in early May by the French security researcher known as Kafeine. The threat is designed to lock the screen of infected Android devices and instruct their owners to pay between $100 and $300 to have them unlocked. The bogus warning messages are made to look like they come from law enforcement agencies from a total of 30 countries.
The mobile ransomware itself is simple. It doesn’t encrypt files, users must manually download and install the malicious application, and the screen locking mechanism works by putting the ransom note on top of other windows and not allowing interaction with it. However, according to Kaspersky, this campaign is highly notable because of the sophisticated distribution network used by cybercriminals.
The distribution infrastructure relies on a network of at least 48 malicious adult websites linked to the Keitaro traffic redirection system that takes victims to various payloads depending on their location and the type of device they’re using – PC or mobile. Researchers believe the cybercrooks are using pornographic websites in their scheme because people visiting such sites are more likely to think that they really have accessed illegal content, as the ransomware messages say.
When Internet users visit one of these websites from a mobile device, they’re redirected to a page that’s set up to serve the malicious Android application. If the victims are from one of the 30 countries targeted by Koler, but not using an Android device or Internet Explorer, they’re redirected to a browser-based lock screen that’s similar to the one served to Android users. There’s no malware infection, just a pop-up window that can be easily closed by pressing the ALT+F4 key combination, Kaspersky said.
The last scenario is the one in which victims visit one of the malicious adult websites from a PC using Internet Explorer. In this case, they are redirected to a website that hosts the Angler exploit kit, which leverages Java, Adobe Flash and Silverlight vulnerabilities to deliver a payload. Researchers say the exploit code is fully functional, but no payload is served for the time being.
Data from the C&C servers shows that over 146,000 of the visitors of these malicious websites are located in the United States, with the largest number of victims recorded in April, when the campaign started. As for the adult websites involved in the distribution network, Kaspersky has determined that they’re not compromised sites, but ones that have been created specifically for such purposes.
“Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub using a traffic distribution system where users are redirected again,” commented Vicente Diaz, principal security researcher at Kaspersky Lab. “We believe this infrastructure demonstrates just how well organized and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetizing their campaign income in a truly multi-device scheme.”
The complete paper, “Koler – The ‘Police’ ransomware for Android,” is available online in PDF format.