By: Viral Gandhi

Android Ransomware 'Koler' Learns To Propagate Via SMS

Mobile Malware

Android Koler is a family of ransomware that targets Android users by locking up their mobile devices and demanding a ransom. It is believed to be the mobile extension of the Reveton ransomware family. Ransomware has been a profitable venture in the PC world with the likes of Crytolocker, but is a relative newcomer on mobile devices, at least in part due to file restrictions in mobile operating systems which limit the ability of apps to access the full file system. Despite this fact, the mobile market is clearly one that ransomware operators would like to tap into and Koler is a step in that direction.

In case of this new Koler variant, the malicious Android application arrives via a shortened bit.ly URL to a Dropbox location and pretends to be an image file. If the unsuspecting user downloads and installs the package, it will lock the user's screen, displaying a fake FBI warning page (see below), accusing the user of viewing child pornography. Additionally, we also found a new self-propagation module that allows it to spread by sending SMS messages containing the shortened URL to all contacts on the compromised device.
 
Analysis
 
Name: IMG_7821.apk
Permissions:
 
  • android.permission.INTERNET
  • android.permission.READ_CONTACTS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW

The user's device screen gets locked with following fake warning upon infection:
 
 
The ransom amount to unlock the device is U$300 USD as seen below:
 
Below, we can see the self-propagation code, where Koler sends out text messages containing a link to download the Koler APK, to all the contacts on the infected mobile device.
 
 
 

Full text message that gets sent out:
 "someone made a profile  named -Luca Pelliciari- and he uploaded some of your photos! is that  you? http://bit.ly/img7821". 

The shortened URL points to a Dropbox location hosting the same ransomware package. The dropbox file has now been taken down.

Upon successful infection, the ransomware also connects to a predetermined command and control server and sends out sensitive device information like build version and device id.
 
 
Command and Control callback
http://admobtube.com/send.php?v=4.0.3&brok=puks&u=XXX&id=XXXX&pin=XXXX

The ransomware variant also incorporates an anti-VM technique to avoid being debugged inside an emulator. This is achieved by checking for the value of the Device ID. If the value contains all zeros (indicating the presence on a VM), the application will hide and terminate itself as seen below:
 
 
Conclusion

We did not see any file encryption routine to encrypt the user's files, but it is able to lock the screen and stay persistent even after reboot.

It is highly recommended that users install applications from authorized stores only. It is important to check the developer information, ratings for the application, permissions requested upon installation and also ensure that the application has been signed by the developer.

Reference:
http://www.joesecurity.org/reports/report-c7ee04bf3e42640ef6b5015b8af01f4f.html

 

Learn more about Zscaler.