UPDATE (8 May 2014): CMSecurity has released a new tool, CM Cryptolocker Cleaner, that can help you out if you have been infected with this virus. For more information, head to the Google Play page
, or follow the QR code:
Cyber security is very much a cat and mouse game. Security professionals and hackers are permanently trying to one-up each other, trying to out-think the opposite side. If hackers are ahead of the security companies, they can exploit new vulnerabilities for financial gain and renown. If security companies are ahead, they can proactively defend their users, gain their trust, and get more sales for their products.
For a long time, there was a perception that Android had no malware. While this was never true in the strictest sense, there was a period of time were the Android platform was mostly ignored, as hackers didn't really have an idea on how best to monetize it. Over time though, they realized that the platform was becoming more popular, users were storing more personal data on their devices, and that focusing their efforts on Android could net them some money.
In the last couple of days, we here at the CM Security Research Lab have come across a malware known as Android-Trojan.Koler.A. This particular virus is among the first pieces of ransomware to hit the Android platform, and shows a growing refinement in the attacks being targeted at mobile users. Interestingly, this malware employs a very strong social engineering element to try to get you to part with your ransom money.
First, let's take a look at what ransomware is. This is a particular type of malware that has been seen on Windows PCs for a while now. In general, they are viruses that will prevent normal PC operations until you pay the hackers a small fee, in other words, holding your PC for ransom. In the olden days, they might simply be an annoyance - constantly generating pop-ups for example until you paid up. More recently, they've become more advanced and more troublesome to deal with. In particular, there have been viruses which will encrypt the files on your PC, making them useless, and they will only be decrypted in return for money.
Above is the message you'll see if you're infected by this new Android malware and being held ransom. You'll notice that the message claims to be from a law enforcement division, and it accuses you of an embarassing and illegal act. This has two very strong effects. First of all, it sends the user into a panic. They're accused of comitting a potentially very serious crime, and they understandably want this accusation to go away as soon as possible. This clouds their judgement and can cause them to act irrationally. Second, it causes the user a great deal of embarassment (It's worth noting that so far, this malware has only been found on pornographic websites). The user is less likely to seek help from friends or family members when they're accused of these acts, especially if they actually were viewing pornography when they became infected.
The malware takes control of your device, preventing you from using normal functions until its removed. However, removing it can prove exceptionally tricky. Even if you are able to close it or make it disappear briefly, it will become active again after a few seconds. This makes it difficult to use Android's uninstall functions to remove it, or to start up an antivirus app which might be able to help.
Thankfully, it's not as bad as it could be. Despite what it claims, this malware does not actually encrypt any of your files. Once you've managed to remove it, you should be safe from any further ill effects. Regardless, with the frequency and intensity of attacks increasing month by month, it feels like it's only a matter of time before such an attack hits users.
The CM Security Research Lab has detected significant amounts of activity related to this virus recently - in the last week, the infection rate has increased by 200%. We believe this is indicative of a new wave of attacks being launched by the perpetrators. We're going to keep a close eye on how this progresses, and keep users informed of any developments.
If you want to keep yourself safe, here are some good tips to follow:
- If you come across any suspicious apk files that you don't remember downloading, don't touch them. Confirm their identity, and if you can't, delete them immediately.
- As usual, prevention is better than cure. Keep yourself one step ahead of the hackers by installing a good antivirus on your phone, and keep it updated. We recommend our own CM Security, available for free at Google Play.