More than 6k Australians duped by Koler Android ransomware: report

More than 6k Australians duped by Koler Android ransomware: report

Kaspersky Lab says 6,223 Australians have been fooled by a customised message that uses logos from AFP, ACMA and ACC

Android ransomware, which displays a message that claims to be from the Australian Federal Police (AFP) and other local law enforcement authorities, has affected 6,223 Australians since May 2014, according to research by Kaspersky Lab.

The Koler police mobile ransomware detects which country the user is based in and if they are using an Android or iOS phone. The ransomware also detects if the user is on a PC or tablet.

Australians have been served up a message that claims to be associated with AFP, the Australian Communications and Media Authority (ACMA), Australian Crime Commission (ACC) and the Royal Australian Corps of Military Police.

Kaspersky Lab United States principal security researcher Vicente Diaz said that once the victim has viewed the message they are redirected to one of 48 malicious adult websites used by Koler’s operators.

After that, the user is subjected to three scenarios. If the user has an Android phone, they are redirected to the Koler mobile ransomware. However, the user still has to download and install the app, which is called animalporn.apk.

If the consumer is not using an Android phone, they will get a message saying their phone has been blocked.

If the consumer is using Internet Explorer on their PC, they will be re-directed to a site that hosts the Angler exploit kit. According to Diaz, the kit has exploits for Silverlight, Adobe Flash and Java.

“During our analysis, the [Angler] exploit code was fully functional. However, it didn’t deliver any payload, but this may change in the near future,” he said in a statement.

Diaz warned that the cyber criminals have created a “well organised and dangerous” campaign.

“The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetising their campaign income in a multi-device scheme.”

According to Diaz, the mobile component of the campaign was disrupted on July 23. The attacker’s command and control server started sending 'Uninstall' messages to victim’s phones which deleted the ransomware.

However, the PC Angler exploit kit is still active. “Kaspersky Lab has shared its findings with both Europol and Interpol, and is currently co-operating with law enforcement agencies to explore possibilities for shutting down the infrastructure,” he said.

An ACMA spokesman told Computerworld Australia that a version of the Koler malware has been around since July 2013.

ACMA’s advice for Australian users is to update anti-virus software and security patches on their phone, computer and tablet.

“Install personal firewall software and use long, unusual and random passwords,” said the spokesman. “Treat email attachments with caution and don’t click on links in suspect emails. Never visit suspicious websites.”

Read more: Attorney-General department refuses to name third agency using s313

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags kaspersky labAustralian Communications and Media Authority (ACMA)Australian Federal Police (AFP)Angler ExploitKoler 'police' ransomware

More about Adobe SystemsAustralian Communications and Media AuthorityAustralian Communications and Media AuthorityAustralian Crime CommissionAustralian Federal PoliceEuropolFederal PoliceInterpolKasperskyKaspersky

Show Comments