A new iteration of the Android ransomware Koler has surfaced that’s trying to trick its victims into downloading the malware by propagating through SMS messages.
Android users receive SMS messages containing shortened bit.ly URLs that ultimately lead to the malicious .APK. Once opened, the package will lock the user’s screen, display a fake FBI warning and ask for $300 to unlock the device.
According to researchers from Zscaler, who described the ransomware, this variant of Koler differs from the rest in that a module in the .APK has a propagation code that sends the same shortened URL to all of the victim’s contacts.
The text message victims receive is apparently along the lines of the following: “someone made a profile named -Luca Pelliciari- and he uploaded some of your photos! is that you? http://bit.ly/img7821.”
The link leads to a malicious .APK – masquerading as an image file –that was originally hosted on Dropbox but that link has since been taken offline, according to Zscaler.
Once initiated, the malware gathers information about the device and communicates with a C+C server while it locks the screen.
“Upon successful infection, the ransomware also connects to a predetermined command and control server and sends out sensitive device information like build version and device ID,” Zscaler wrote.
Usually present on other strains of ransomware that encrypt users’ files, zScaler couldn’t find a file encryption routine on this version of Koler. Researchers did find that the malware was able to do exactly what it claimed however: Lock users screens and remain persistent even after the devices are rebooted.
Ransomware like Cryptolocker and CryptoWall has proven to be a force to be reckoned with for PCs, but Koler, which first came to light in May, looks to be adapting for mobile devices step-by-step with its contemporaries.
Researchers with Kaspersky Lab published a report regarding Koler in July and described just how flexible the ransomware’s infrastructure can be – hinting that the threat could eventually be adapted to target desktop users.
“The campaign is all about the distribution infrastructure used, expanding the fraud to desktop users and using an exploit kit infrastructure to distribute malware,” the report said at the time.