Canadian users infected by a Mobile ransomware by visiting adult content websites

Pierluigi Paganini May 06, 2015

Canadian mobile users were targeted by the latest variant of the Koler Android mobile ransomware after visiting websites proposing adult content.

Once again, visitors of websites proposing adult content are targeted by cyber criminals. Last week a malvertising campaign hit visitors of the adult website XHamster, now Canadian Internet users victims were targeted by a malicious campaign spreading mobile ransomware.

Cyber criminals used a recent variant of the Koler Android mobile ransomware which displays victims a warning message that pretend to be from the Royal Canadian Mounted Police. The message warns users that they are under investigation of Canadian Authorities that have locks their system.

“This is the first one that we’ve seen specifically targeting Canadian citizens,” said Domingo Guerra, founder of the mobile security company Appthority.

The experts explained that bad actors behind the malicious campaign set up bogus websites pretending to offer adult content, or exploited ads on minor websites offering similar content.

ANDROID RANSOMWARE Koler via adult content website

When unaware users visit the malicious website, they are tricked into thinking that they are downloading a video viewer to display the adult content on their mobile devices, in reality they are installing a mobile ransomware that is localized for the region of the victims.

The extortion schema adopted by the cyber criminal not limit their action to the lock on the mobile, but crooks also menace victims to inform their contacts that they have been viewing adult website if they don’t pay a fee (“the ransom”). This tactic discourages victim to report the scam to the law enforcement and induces them to pay the fee that range from $100 up to around $500.

“This plays not just on the security aspect, but the shame of being caught,” said Guerra“But they’re embarrassed because it’s a pornography site, so they don’t want to tell anyone.

Guerra explained that there are some categories of users more exposed to these frauds, like Senior corporate executives that fearing embarrassment decide to pay.

“But they’re embarrassed because it’s a pornography site, so they don’t want to tell anyone.” Guerra added.

Guerra warns victims that in many cases the cyber criminals have no capability to unlock the phone, neither to send messages to the victim’s contacts. The expert also explained that in some cases victims can recover their mobile simply by booting it in safe mode in order to delete the app that locked the device.

“Most of the time there is a way to unlock it without paying the ransom,” he said. “You boot the phone in safe mode, delete the app, then reset the phone.”

Guerra also highlighted that the samples of mobile ransomware he has analyzed don’t implement file encryption to lock the user’s document.

“They claim to do that, but they actually don’t,” Guerra said. “It was just a trick.”

Ad usual, in order to avoid to be victim of these scams it is important to be aware of the threat and to assume a proper security posture especially in a workplace. Do not open unsolicited emails neither download apps from the third-parties stores.

Pierluigi Paganini

(Security Affairs – mobile ransomware, adult content)



you might also like

leave a comment