Kharon project

Ransom, fake warnings from the FBI, and phone locking

GroDDViewer graphs:

This malware infects android phone when the user is browsing on the Web. He believe downloading an honest application (a video player for instance) but the user gets an undesired application on his device. Once installed, the ransomware requests full network access, permission to run at startup and permission to prevent the phone from sleeping. The granted access allows the ransomware to take control of the device. The full network access allows the malicious app to communicate over the web and download the ransom message that is shown on the captive device. The permission to run at startup and prevent the phone from sleeping fully lockdown the phone, preventing victims from escaping the ransom message. The ransomware localizes fake government messages, depending on the users GPS location, accusing them of having viewed and downloaded inappropriate and illegal content. The ransomware demands ransom of course! The ransom to regain access to the device including all of its apps, which it claims are all encrypted, is set at around $300 and is to be paid through untraceable forms of payment such as MoneyPak.

• Android ransomware 'Koler' turns into a worm, spreads via SMS
• Difficulty removing Koler Trojan or other ransomware on Android?
• How the Koler Android Ransomware Can Spread Through Text Messages

Start application : a fake warnings from the FBI or other law enforcement agencies tells the victim that he has been found to have visited illegal sites containing child pornography and must pay a fine

Malware type :

Attacks :

Infection technique :

Malicious code type :

Hidding techniques :

Triggering techniques :

• Koler