Android ransomware incident may be start of things to come

Mobile security experts warn that cybercriminals may be ‘testing the waters’

Blackphone chief executive Toby Weir-Jones is blunt. "We're lucky that in this go-around it's pretty amateur and crude," he says.

Looking at reports flagging up the first major recorded instance of Android ransomware, Weir-Jones says there’s a theory that cybercriminals are “testing the waters to see what kind of coverage they can get before investing more resources and developing more sinister ransomware”.

Weir-Jones, whose company recently launched a privacy-focused smartphone, adds, “I have no doubt that will come.”

What has Weir-Jones and others in the industry concerned is the discovery of Koler.A, a piece of mobile malware that, as with PC versions of ransomware, locks a device preventing users from accessing their data, apps and services until they pay a 'fine' to the cybercriminals on the other end of the device.

Kafeine hit
In the case of Koler.A, which was first discovered earlier this month by French security blogger Kafeine, those who fall foul of the attack will be asked for a fee of about €220 before getting use of their phone back.


Grayson Milbourne, the director of security intelligence at Webroot, agrees it's likely the cybercriminals responsible are "flexing their muscles" before conducting more widespread ransomware attacks.

Milbourne says, “In this specific case it’s the social engineering element of pornography telling users you need this codec to play this video, and this is how they’re suggesting to install the [malicious] app” responsible for Koler.A.

Koler.A is a "police Trojan", which means it uses geo-location data to pose as the local police force and tells those who have downloaded the ransomware that they must pay the fine to the FBI, carabinieri or Garda depending on where in the world they are.

Locking down laptops
Robert McArdle, a Cork-based senior threat researcher with Trend Micro, says this method has proved a particularly good "business model" for cybercriminals locking down laptops or PCs, "because pretending you're the police gets more people paying than other versions of the scam".

With Koler.A, software which is placed in website ads redirects web users to a particular site embedded with browser exploit kits. One “drive-by download” later and the ransomware is installed.

As Weir-Jones notes, this isn't the most elegant of designs, as "you have to go to a certain place to get it" and users must also have enabled the download of apps from outside the Google Play Store on their phone.

Milbourne says it’s worth pointing out that “roughly a third of [smartphone] users install apps from third-party sources” with many going to sites “offering a hacked app that costs a few dollars on the Google Play store”.

This, he says, leads to "a market for compromised apps".

Online activities
Senior security researcher at Kaspersky Lab David Emm says,"Given the fact that we're using smartphones for many online activities and to hold so much of our personal data, it's no surprise to see cybercriminals targeting them."

For Apple and Windows phone users, Milbourne says he doesn’t “foresee [ransomware] becoming as much of an issue” in the near-term due to “very closed systems for app installation”.

With this issue already facing Android users though, the Webroot director of security intelligence adds that one other concerning trends for users of the operating system is the increasing "sale of Google developer credentials" in "underground markets" online.

Stolen credentials
Often these have been stolen from "trusted Google developers" who have the ability to "post new applications on that market".

Milbourne says, “What you could do in this scenario is log in as a developer who potentially has an app out that’s been installed by thousands, if not more users and then modify this application with malicious content and push out the update.”

With many apps configured to “auto-update,” he says, Android users may be faced with a situation where “seamlessly without any interaction at all you have the ability to then infect devices”.

While a “very dangerous possibility” Milbourne notes that currently acquiring such credentials will usually cost “over $1,500”.

Even in such cases, though, Trend Micro’s McArdle says avoiding ransomware or any kind of mobile malware is a case of “changing most users’ habit of saying yes to all the permissions” when downloading an app.

Kaspersky Lab’s Emm agrees. “The most vulnerable aspect of mobile security is the person using the device,” he says, adding that a “security mindset” must be developed among mobile users.

Milbourne says, “It’s no different to when seatbelts were first introduced in cars and people said, ‘you’re kidding, I’m not wearing that, it’s ridiculous, and I’m better off being thrown when I crash’.

“The old horse-riding mentality. It took a while but eventually the benefits became relatively indisputable.”