Cryptolocker, a windows ransomware has gained popularity recently. Last week, a ransomware targeting Android emerged. This ransomware is named Koler.A.
Let us take a look at what it does.
A user infected with this ransomware will have the following message on their screen repeatedly. It states that your phone has been locked by the authority and you need to pay $300 via MoneyPak to have your phone unlocked.
What is annoying about this ransomware is that it will takeover your screen by periodically showing the message above. This makes your phone unusable because as soon as you do something on your phone, it will override your screen.
How does it work?
First, it reads a list of URL from its resource and then loads the url via webview. Webview enables the app to display web pages inside the application. It is those urls that will show the message above. It also starts the LockService class which acts as a watchdog and will always respawn the LockActivity.
The service also sets an alarm that would trigger the LockActivity every 2000 ms.
There were many suspicious declaration in the manifest file. First, it uses package name "com.android" which is the default package name for the android system processes. Second, it uses autostarts after boot having a priority of 999. Third, it has two receivers declared as remote which means a separate process. This is done as a watchdog for the application. We can also note that with the declared permission, READ_PHONE_STATE, it gives you a hint that it accesses internet and phone system information (e.g., IMEI, phone number).
The malware author included code obfuscation by making the class names similar to each other which is hard for the reverser to read.