Android users might soon become victims of “Police Locker” ransomware, if they haven’t already, warns the researcher behind the Malware don’t need Coffee blog.
“The ‘Reveton team’ has diversified its locking activity,” he informs us. “The advert is old (2014-02-18) but i decided to write about it today as I found a Traffic Distribution System (TDS) using almost all features proposed by this affiliate including the Android locker.”
Other options for malware delivery include system lockers, fake AV, fake codecs, and Browlock ransomware.
The researcher discovered a threat actor that uses a TDS that employs almost all features: if you land on a malicious site using Internet Explorer, a variant of the Winlock ransomware is served. If you land with with another browser on Windows, Linux or Mac, you’ll get Brownlock.
Finally, if you land on it with Android, you will be redirected to a fake adult website that will automatically push the download of a malicious APK file masquerading as a video downloader app (and using the icon of the legitimate BaDoink Video Downloader).
The good news is that the user must approve the installation:
Another good news is that the malware is already detected by a dozen of AV solutions.
The malicious APK can call APIs that provide access to information about the telephony services on the device, in order to determine telephony services and states.
Once the malicious app is run or once the device is rebooted, this allows it to show a fake message saying that the device has been blocked and encrypted by the local police (with the apparent help of Mandiant – see the upper left corner of the fake notice):
The fine US users are asked to pay in order to get their phones unlocked is $300, payable via Money Pak.
Users from other countries (most European countries, Mexico, New Zealand, Canada, Australia, etc.) will see the message in their own language, purportedly shown by their own country’s police force.
“The locker is kind of effective. You can go on your homescreen but nothing else seems to work,” the researcher notes. “Launching Browser, callings Apps, or ‘list of active task’ will bring the Locker back.”
The malware is detected by most AV solutions as Trojan Koler, and the researcher has already spotted another threat actor delivering it. In this case, the malicious APK masquerades as the popular BSPlayer video player for Android.
If you get infected with Koler, here is how you remove it.