Defunct Koler ransom Trojan attacked 200,000 Android users in matter of weeks

C&C analysis spots 150,000 potential victims in US alone

The crude Koler.a 'police ransom' Trojan that started attacking Android smartphone users in April has finally been knocked out of action by researchers but only after revealing the disturbing if brief scale of its global success.

According to Kaspersky Lab, which recently gained access to the malware's command and control stats, Koler did most of its damage weeks before noted security blogger Kafeine reported its discovery in early May.

These numbers showed that around 196,000 Android users searching for porn on their mobile devices encountered the landing page used to install the malicious Trojan .apk file, about 150,000 of whom were US-based IP addresses. Of the rest, nearly 14,000 were from the UK, 6,000 in Australia, and almost that number in Canada.

This has been misinterpreted by some as the number of users that were actually infected although it more accurately measures how many users were confronted with the install request. How many actually went beyond this stage is anyone's guess but it would have been far lower than the almost 200k figure implies not least because by default Android disallows installs from third-party sites.

Of those infected, an even smaller number will actually have paid the $100-$300 sum to rid themselves of the malware with many working out how to nix it by manual means.

The figures are still sobering; before anyone had even heard of Koler by the end of April it had hit 90 percent of its potential victims. Anyone who did install what they believed to be a porn application would have found their device 'locked' by a variant on the police ransom attacks used against PC users many times in recent years.

All this from a rough-and ready ransom Trojan that even Kaspersky admits was more notable for its distribution system than the sophistication of the malware itself. It had also tried its hand against some PC browser users with a simple blocking template if it detected they were not running Internet Explorer.

On the basis of circumstantial evidence, Koler was almost certainly another Russian malware campaign, most likely connected to the gang behind the Reveton ransom Trojan that topped the malware league in 2013, Kaspersky said. On 23 July, Koler's mobile campaign was finally brought to an end although Kaspersky doesn't make clear who was behind the takedown.

"Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub using a traffic distribution system where users are redirected again," said Kaspersky Lab principal security researcher Vincente Diaz.

"We believe this infrastructure demonstrates just how well organised and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users."

Normally, news of malware targeting Android would be a sign of things to come, a warning to users of that platform. What Koler underlines is that criminals have moved far beyond that point and managed to reach out to 200,000 Android users before anyone even knew the attack existed.

At that point anyone whose smartphone became infected with the malware might have found even this simple piece of malware a pain to get rid of. The simplest method is always to boot the phone in safe mode after which it is possible to load (or not) apps one by one.

This story, "Defunct Koler ransom Trojan attacked 200,000 Android users in matter of weeks" was originally published by Techworld.com.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.