SECURITY FIRM Kaspersky has revealed that the Koler "Police" ransomware infected more machines than first thought, affecting over 200,000 Android devices before it was shut down earlier this month.
In its "Koler - The 'Police' ransomware for Android" threat report, Kaspersky said that more than 200,000 Android devices connected to the infected server were potentially infected with the malware, and it listed the US and UK as the worst hit.
Kaspersky reported detecting 146,650 US and 13,692 UK connections between April and June, making the two countries bear the brunt of the attacks.
"During our analysis, we discovered that the infrastructure behind the distribution and infection process was far more complex than expected. The mobile infection is triggered when the user visits specific pornographic sites. Those sites are part of the distribution network created for this campaign," read the threat report.
"All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK. When visited, the website automatically redirects the user to the malicious application."
Kaspersky added that the criminal network appeared to have a second early functionality that could be used to mount attacks on Windows PCs as well as Android devices.
"Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again according to several conditions. This second redirection could be to a malicious Android application, browser-based ransomware or to a website with the Angler exploit kit," the threat report continued.
"In this final case, the exploit kit was not fully operational and we were unable to obtain its payload. However, the attackers used an API armed with the exploit kit to retrieve their landing sites."
The Koler ransomware was uncovered by security researcher Kaffeine in May and was beleived to be a rather minor threat at first, blocking the screen of an infected device and requesting a ransom of between $100 and $300 in order to unlock the device.
At the time, Kaspersky said the software didn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen. As a result, the malware was largely ignored until 23 July, when the mobile part of the campaign was disrupted and its command and control (C&C) server was set to send "uninstall" requests to victims.
Kaspersky warned that although the Police ransomware was closed down, users should stay vigilant as the criminals' advanced network could be used to mount fresh attacks targeting a variety of groups in the very near future.
"With regards to the malicious mobile application, we have found different APKs [Android application packages] with the same behaviour," the report said.
"Some of them (not yet distributed through this malicious network) have interesting names such as Pronhub.com.apk, whatsapp.apk or updateflash.apk. This suggests the attackers could expand their campaign in the near future." µ