Android/Koler.A!tr

Analysis

Android/Koler.A!tr is a piece of ransomware targetting Android mobile phones.
The malicious package comes disguised as an application called BaDoink. When launched, it tries to contact several hardcoded C&C domains by sending out the infected phone's IMEI that respond with fake pages saying the phone has been locked by the Police "for safety reasons" and all files on the phone have been encrypted. The server responds with different pages based on the user's location customized for the corresponding country. In reality, no files on the phone are encrypted however, the operation of the phone becomes difficult since the lockscreen is automatically launched every 5 seconds.

Technical Details

The main application is called "BaDoink" and comes in the package "com.android"

Fig1 : Application Icon
When launched, the malware tries to contact one of the hard coded domains present in the package.

• hxxp://police-XXXXXX-mobile.com
• hxxp://mobile-XXXXXXblock.com
• hxxp://police-XXXXXX-mobile.com
• hxxp://police-XXXX-mobile.com
• hxxp://police-XXXXXX-stop.com
• hxxp://police-XXXXX-mobile.com

It sends a GET request containing the phone's IMEI and a BuildID contained in the package strings. If the server responds with an HTTP 200 (OK) code, the webpage returned by the server is displayed on the victim's screen.
Normally, the server responds with a page displaying a ransom message that serves as the lock screen for the malware. The pages are customized by the server based on the victim's geographic location. Fig2 shows an example of a ransom page displayed for a user in France.

Fig2 : LockScreen demanding ransom
No files on the phone are actually encrypted
The user can exit from the lockscreen page however it is redisplayed every 5 seconds leaving the victim very little time to uninstall the application.
The malware is automatically restarted whenever the phone screen goes off and when the phone reboots.
The package classnames are obfuscated.
Certain strings used by the package are encrypted using a simple XOR with hardcoded keys that vary for each class
The malware can be removed by resetting the phone or by rebooting in safe mode and uninstalling the application as shown here
Permissions required by the application:

• RECEIVE_BOOT_COMPLETED
• INTERNET
• WAKE_LOCK
• READ_PHONE_STATE

Certificate information:

• Owner: CN=Android Debug, O=Android, C=US
• Issuer: CN=Android Debug, O=Android, C=US
• Serial number: 25519bef
• Valid from: Sun Nov 04 13:59:16 CET 2012 until: Tue Oct 28 13:59:16 CET 2042

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.