Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Android Ransomware 'Koler' Learns To Propagate Via SMS

image
VIRAL GANDHI
October 24, 2014 - 3 min read
Android Koler is a family of ransomware that targets Android users by locking up their mobile devices and demanding a ransom. It is believed to be the mobile extension of the Reveton ransomware family. Ransomware has been a profitable venture in the PC world with the likes of Crytolocker, but is a relative newcomer on mobile devices, at least in part due to file restrictions in mobile operating systems which limit the ability of apps to access the full file system. Despite this fact, the mobile market is clearly one that ransomware operators would like to tap into and Koler is a step in that direction.

In case of this new Koler variant, the malicious Android application arrives via a shortened bit.ly URL to a Dropbox location and pretends to be an image file. If the unsuspecting user downloads and installs the package, it will lock the user's screen, displaying a fake FBI warning page (see below), accusing the user of viewing child pornography. Additionally, we also found a new self-propagation module that allows it to spread by sending SMS messages containing the shortened URL to all contacts on the compromised device.
 
Analysis
 
Name: IMG_7821.apk
Permissions:
 
  • android.permission.INTERNET
  • android.permission.READ_CONTACTS
  • android.permission.READ_PHONE_STATE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW

The user's device screen gets locked with following fake warning upon infection:
 
Image
 
The ransom amount to unlock the device is U$300 USD as seen below:
Image
 
Below, we can see the self-propagation code, where Koler sends out text messages containing a link to download the Koler APK, to all the contacts on the infected mobile device.
 
Image
 
 
Image

Full text message that gets sent out:
 "someone made a profile  named -Luca Pelliciari- and he uploaded some of your photos! is that  you? http://bit.ly/img7821". 

The shortened URL points to a Dropbox location hosting the same ransomware package. The dropbox file has now been taken down.

Upon successful infection, the ransomware also connects to a predetermined command and control server and sends out sensitive device information like build version and device id.
 
Image
 
Command and Control callback
http://admobtube.com/send.php?v=4.0.3&brok=puks&u=XXX&id=XXXX&pin=XXXX

The ransomware variant also incorporates an anti-VM technique to avoid being debugged inside an emulator. This is achieved by checking for the value of the Device ID. If the value contains all zeros (indicating the presence on a VM), the application will hide and terminate itself as seen below:
 
Image
 
Conclusion

We did not see any file encryption routine to encrypt the user's files, but it is able to lock the screen and stay persistent even after reboot.

It is highly recommended that users install applications from authorized stores only. It is important to check the developer information, ratings for the application, permissions requested upon installation and also ensure that the application has been signed by the developer.

Reference:
http://www.joesecurity.org/reports/report-c7ee04bf3e42640ef6b5015b8af01f4f.html

 
form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.