A peek into Police Locker’s distribution infrastructure

An analysis of the distribution infrastructure for the bothersome Android “Police Locker” ransomware has revealed that the attackers behind it are not putting all of their eggs in one basket, and have been looking to target Internet users using a variety of devices and software.

Since the existence of Police Locker (or “Koler” as Kaspersky Lab dubs it) has been publicly revealed, researchers have been following the workings of a Traffic Distribution System (TDS) that leads users to it.

The gateway of this distribution system is a network of automatically created pornographic sites (nearly 50 of them) that all look similar, are located on the same server, and don’t provide original material.

These domains redirect visitors to a “controller” domain (videosartex.us) that takes stock of the parameter in the URL, the referrer, the user agent and the geographical location of the visitor’s IP, and redirects users accordingly.

Victims using Android devices and who are located in one of 30 countries for which Police Locker has fake police messages are redirected to a page that contains an APK file called animalporn.apk.

This application and variants of it impersonate legitimate apps, and users have to approve the download and run them in order for their device to be infected.

All other users except those using Internet Explorer are redirected to browser ransomware websites, and IE users land on sites hosting the Angler exploit kit, which, at the time of the analysis, was not functional.

During the period when researchers kept an eye on the campaign, the mobile infection domain was visited by almost 200,000 visitors, 80% of which were from the US. Since July 23, the mobile part of the campaign has been disrupted and, according to the researchers, the C&C server has started sending an “Uninstall” request to victims.

“The use of a pornographic network for this ‘police’ ransomware is no coincidence: the victims are more likely to feel guilty about browsing such content and pay the alleged fine from the authorities. This psychological factor can be the difference between a failed campaign and a successful one,” Kaspersky Lab experts pointed out.

Police Locker is not a destructive piece of ransomware – it doesn’t encrypt files on the infected device, nor does it perform advanced blocking – it simply blocks the screen of the device and asks for money to be paid to the “police” via stored-value cards (MoneyPak) or electronic payment systems such as Ukash.

It’s difficult to deinstall the malware while the blocking browser window keeps popping up, but a factory reset of the device gets rid of it. Unfortunately, you’ll also loose data stored on the device and apps you’ve installed.

Still, there are many inexperienced users who won’t know what to do and will ultimately pay the requested “fine.”

And while the malware is not complex, the distribution infrastructure obviously is.

“We believe this infrastructure demonstrates just how well organized and dangerous these campaigns are that are currently targeting, but not limited to, Android users,” the researchers say.

“The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways for monetizing their campaign income in a truly multi-device scheme.”

Don't miss