A strain of the Koler ransomware spread to Android devices by tricking users into downloading an application designed to look like Pornhub, one of the US’ most frequented adult sites.
Malware researcher Lakas Stefanko from the ESET security firm first discovered the campaign, which originated from advertisements on other adult websites. Users would be encouraged to download the app, ostensibly from Pornhub, so they could see more pornographic content. The device would be infected rafter they were redirected to download the false application.
If an Android user only accepted apps from the Google Store, they were likely protected from the attack. Users who allowed the installations of third-party applications were more vulnerable.
Once a device was infected, a ransom message designed to look like it came from the FBI popped up, saying the device was locked for attempting to access "forbidden pornographic sites," and for it to be unlocked the user had to pay a $500 fine within three days.
Android users have been impacted by Koler ransomware since 2014. The malware even boasts a geo-targeting feature that allows for ransom messages in different languages based on the user’s location.
The Pornhub malware, however, was reserved strictly for US users.
According to Stefanko, Koler is one of the first ransomware campaigns for Androids that used this particular tactic.
In a February white paper, ESET wrote that preventative measure like avoiding unofficial app stores and installing updated security could help users keep from falling victim to ransomware.
They wrote, "Chances are that users who take appropriate measures against ransomware will never face any request for ransom. And even if they fall victim and – worst case scenario – see their data encrypted, having a backup turns such an experience into nothing more than a nuisance."
