Reveton / IcePol Ransomware Makes the Move to Android
Published on: 12th May 2014
By: Ian Mansfield
The highly prolific gang behind the Reveton IcePol network virus are reported to have made a move into targeting users of Android OS based devices.
Bitdefender Labs says that it has uncovered a simple piece of Android ransomware dubbed Android.Trojan.Koler.A that is delivered automatically to internet users browsing malicious pornographic sites. As the user browses, an application that claims to be a video player used for premium access to pornography is downloaded. Unlike the Windows-based Reveton that is delivered via zero-interaction exploits, Koler.A requires the user to enable side loading and manually install the application.
Once in, the Trojan launches a browser on top of the home screen and briefly displays a logo of the player it impersonates. Meanwhile, the Android application package file (APK) calls home to one of the 200+ domains known to be involved in the scheme. It also sends the device's IMEI as well as a key that appears to be identical for all infections.
"The bad news is that by the time you see the message, the bad guys already have your IMEI on file," states Catalin Cosoi, Chief Security Strategist at Bitdefender. "The good news is that Koler.A can be easily removed by either pressing the home screen and navigating to the app, then dragging it on the top of the screen where the uninstall control is located, or by booting the device in safe mode and then uninstalling the app."
The ransomware works by allowing the server to identify the victim's location via an IP to Geo lookup and in turn responding with the HTML page localised in the victim's language. The Trojan then disables the back button, but still lets users briefly return to the home screen. After arriving at the home screen, users have five seconds to uninstall the APK before a timer brings the malicious application back to the foreground. This goes on every five seconds until the users pay the ransom.
"Although the message claims the stored data is encrypted, the application does not have the permissions it needs to touch files; it's a lie to push users into paying the ransom," continues Catalin Cosoi.
Koler.A is the second piece of ransomware Bitdefender has discovered to date, after the Fakedefender Trojan discovered in September last year. Its functionality is very limited, but the APK code is highly unintelligible, either to deter analysis or to prevent a wannabe cyber-criminal from modifying the binary and using it for their profit.
"The Android version of Icepol might be a test-run for cyber-criminals to see how well this type of scam can be monetised on mobile platform," concludes Catalin Cosoi. "If this is the case, we should expect much more sophisticated strains of ransomware, possibly capable of encrypting files, to emerge shortly."