Android ransomware, which displays a message that claims to be from the Australian Federal Police (AFP) and other local law enforcement authorities, has affected 6,223 Australians since May 2014, according to research by Kaspersky Lab.
The Koler police mobile ransomware detects which country the user is based in and if they are using an Android or iOS phone. The ransomware also detects if the user is on a PC or tablet.
Australians have been served up a message that claims to be associated with AFP, the Australian Communications and Media Authority (ACMA), Australian Crime Commission (ACC) and the Royal Australian Corps of Military Police.
- Online banking malware increased in Australia during 2013: report
- Security vendors issue warning about Cryptolocker ransomware
- 16.5k malware infections reported daily in Australia
Kaspersky Lab United States principal security researcher Vicente Diaz said that once the victim has viewed the message they are redirected to one of 48 malicious adult websites used by Koler’s operators.
After that, the user is subjected to three scenarios. If the user has an Android phone, they are redirected to the Koler mobile ransomware. However, the user still has to download and install the app, which is called animalporn.apk.
If the consumer is not using an Android phone, they will get a message saying their phone has been blocked.
If the consumer is using Internet Explorer on their PC, they will be re-directed to a site that hosts the Angler exploit kit. According to Diaz, the kit has exploits for Silverlight, Adobe Flash and Java.
“During our analysis, the [Angler] exploit code was fully functional. However, it didn’t deliver any payload, but this may change in the near future,” he said in a statement.
Diaz warned that the cyber criminals have created a “well organised and dangerous” campaign.
“The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways of monetising their campaign income in a multi-device scheme.”
According to Diaz, the mobile component of the campaign was disrupted on July 23. The attacker’s command and control server started sending 'Uninstall' messages to victim’s phones which deleted the ransomware.
However, the PC Angler exploit kit is still active. “Kaspersky Lab has shared its findings with both Europol and Interpol, and is currently co-operating with law enforcement agencies to explore possibilities for shutting down the infrastructure,” he said.
An ACMA spokesman told Computerworld Australia that a version of the Koler malware has been around since July 2013.
ACMA’s advice for Australian users is to update anti-virus software and security patches on their phone, computer and tablet.
“Install personal firewall software and use long, unusual and random passwords,” said the spokesman. “Treat email attachments with caution and don’t click on links in suspect emails. Never visit suspicious websites.”
Follow Hamish Barwick on Twitter: @HamishBarwick