Porn Ransomware Now Targeting Android Smartphones

LOS ANGELES—BitDefender Labs has issued a warning about new ransomware called Koler.A that targets Android smartphone owners by deceiving them into downloading fraudulent video player software. Similarly pernicious ransomware known as Cryptolocker has been wreaking havoc on desktops for a few years, but this latest variation, reports Tech Week Europe's Peter Judge, has recently made the jump to mobile, and is reportedly the handiwork of the "highly prolific gang behind the Reveton/IcePol network." However, unlike Cryptolocker, which encrypts a user's hard drive, "This Android variant is bluffing, as it does not have permission to do that. It also requires user involvement to install the software: users must have enabled 'sideloading' from sources other than Google’s Play app store, and must then accept and manually install the download." The software, which is found on compromised porn sites, "poses as a premium video player under the name 'BaDoink.' "Once installed," adds Judge, "it uses the device’s IMEI (International Mobile Equipment Identity) number to find the device’s home location, and sends a message purporting to come from a local police force, which claims the user has accessed 'banned pornography' including child porn, and demanding $300 to reactivate the phone." BaDoink, of course, is the name of an adult online magazine and video streaming service found at badoink.com. In this case, the crooks have incorporated not only Badoink's name but also its logo into their illegal scheme. In its posted warning about the new malware, BitDefender Labs offers a detailed look at how the scam works: "As the user browses," explains the Lab, "an application that claims to be a video player used for premium access to pornography downloads automatically. Unlike the Windows-based Reveton that is delivered via zero-interaction exploits, Koler.A still requires the user to enable sideloading and manually install the application. "The Trojan disables the back button, but still lets you briefly return to the Home screen. After you press the Home screen, you have five seconds to uninstall the APK before a timer brings the malicious application back to the foreground. This goes on every five seconds until you pay the ransom. "Although the message claims the stored data is encrypted, the application does not have the permissions it needs to touch files; it’s a lie to push users into paying the $300 ransom. "The bad news is that, by the time you see the message, the bad guys already have your IMEI on file. The good news is that Koler.A can be easily removed by either pressing the home screen and navigating to the app, then dragging it on the top of the screen where the uninstall control is located, or by booting the device in safe mode and then uninstalling the app." While this version of ransomware is certainly malicious, it's what it represents that BitDefender believes is cause for concern. "The Android version of Icepol might be a test-run for cyber-criminals to see how well this type of scam can be monetized on mobile platform," explains the Lab. "If this is the case, we should expect much more sophisticated strains of ransomware, possibly capable of encrypting files, to emerge shortly." The unfortunate lesson for surfers is one they should already have learned; don't download any file you do not already know is legitimate and safe. AVN contacted Badoink for comment and received the following reply:   "On Wednesday, May 7, one of our developers discovered that the BaDoink brand and logo was being used to spread the Reveton/IcePol Ransomware. We reacted immediately, identifying the site that was distributing the ransomware, then contacting our corporate council, who took action to remedy the situation. He alerted the site's hosting company, and submitted a DMCA takedown request. Yesterday, he contacted the FBI's cybercrime division. Today, he's sending a cease and desist to the owners of the domain names as well. "BaDoink.com's desktop software application, 'The BaDoink Ultra App,' has been cornerstone to the BaDoink brand and member experience for years. We've also created mobile apps that are sold through the iTunes App Store and the GooglePlay Market; and they are marketed exclusively through the iTunes App Store and the GooglePlay Market. "So the notion that our brand or our software applications are being falsely associated with anything malicious is something we take seriously. It goes without saying that neither BaDoink.com, nor our company, CM Productions, LLC has anything whatsoever to do with this exploit, and, as stated above, we are doing everything in our power to ensure the entire issue is resolved immediately."