Defunct Koler ransom Trojan attacked 200,000 Android users in matter of weeks

C&C analysis spots 150,000 potential victims in US alone

The crude Koler.a 'police ransom' Trojan that started attacking Android smartphone users in April has finally been knocked out of action by researchers but only after revealing the disturbing if brief scale of its global success.

According to Kaspersky Lab, which recently gained access to the malware's command and control stats, Koler did most of its damage weeks before noted security blogger Kafeine reported its discovery in early May.

These numbers showed that around 196,000 Android users searching for porn on their mobile devices encountered the landing page used to install the malicious Trojan .apk file, about 150,000 of whom were US-based IP addresses. Of the rest, nearly 14,000 were from the UK, 6,000 in Australia, and almost that number in Canada.

This has been misinterpreted by some as the number of users that were actually infected although it more accurately measures how many users were confronted with the install request. How many actually went beyond this stage is anyone's guess but it would have been far lower than the almost 200k figure implies not least because by default Android disallows installs from third-party sites.

Of those infected, an even smaller number will actually have paid the $100-$300 sum to rid themselves of the malware with many working out how to nix it by manual means.

The figures are still sobering; before anyone had even heard of Koler by the end of April it had hit 90 percent of its potential victims. Anyone who did install what they believed to be a porn application would have found their device 'locked' by a variant on the police ransom attacks used against PC users many times in recent years.

All this from a rough-and ready ransom Trojan that even Kaspersky admits was more notable for its distribution system than the sophistication of the malware itself. It had also tried its hand against some PC browser users with a simple blocking template if it detected they were not running Internet Explorer.

On the basis of circumstantial evidence, Koler was almost certainly another Russian malware campaign, most likely connected to the gang behind the Reveton ransom Trojan that topped the malware league in 2013, Kaspersky said. On 23 July, Koler's mobile campaign was finally brought to an end although Kaspersky doesn't make clear who was behind the takedown.

"Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub using a traffic distribution system where users are redirected again," said Kaspersky Lab principal security researcher Vincente Diaz.

"We believe this infrastructure demonstrates just how well organised and dangerous this campaign is. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users."

Normally, news of malware targeting Android would be a sign of things to come, a warning to users of that platform. What Koler underlines is that criminals have moved far beyond that point and managed to reach out to 200,000 Android users before anyone even knew the attack existed.

At that point anyone whose smartphone became infected with the malware might have found even this simple piece of malware a pain to get rid of. The simplest method is always to boot the phone in safe mode after which it is possible to load (or not) apps one by one.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecuritykaspersky lab

More about KasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place