Tuesday, May 20, 2014

Ransomware now targeting Android

Cryptolocker, a windows ransomware has gained popularity recently. Last week, a ransomware targeting Android emerged. This ransomware is named Koler.A.

Let us take a look at what it does.

Ransomware behavior

 A user infected with this ransomware will have the following message on their screen repeatedly. It states that your phone has been locked by the authority and you need to pay $300 via MoneyPak to have your phone unlocked.

What is annoying about this ransomware is that it will takeover your screen by periodically showing the message above. This makes your phone unusable because as soon as you do something on your phone, it will override your screen.

How does it work?


First, it reads a list of URL from its resource and then loads the url via webview. Webview enables the app to display web pages inside the application. It is those urls that will show the message above. It also starts the LockService class which acts as a watchdog and will always respawn the LockActivity.

The service also sets an alarm that would trigger the LockActivity every 2000 ms.

Suspicious Code

There were many suspicious declaration in the manifest file. First, it uses package name "com.android" which is the default package name for the android system processes. Second, it uses  autostarts after boot having a priority of 999. Third, it has two receivers declared as remote which means a separate process. This is done as a watchdog for the application. We can also note that with the declared permission, READ_PHONE_STATE,  it gives you a hint that it accesses internet and phone system information (e.g., IMEI, phone number).

Code obfuscation

The malware author included code obfuscation by making the class names similar to each other which is hard for the reverser to read.


  1. It was only with the help of Pass4sure Cisco dumps that I could secure high grades in my final IT exam. It was very easy to read form to the point material. No syllabus topic was out of my knowledge after preparing from Cisco questions and answers. I’m thankful to Dumpspass4sure for all the help.