To stoke maximum fear, ransomware geolocates users, targets them by country.

Researchers have uncovered Android-based malware that disables infected handsets until end users pay a hefty cash payment to settle trumped-up criminal charges involving the viewing of illegal pornography.
To stoke maximum fear, Android-Trojan.Koler.A uses geolocation functions to tailor the warnings to whatever country a victim happens to reside in. The screenshot to the right invoking the FBI, for instance, is the notice that's displayed on infected phones connecting from a US-based IP address. People in Romania and other countries will see slightly different warnings. The malware prevents users from accessing the home screen of their phones, making it impossible to use most other apps installed on the phone. The normal phone functions in some cases can be restored only when the user pays a "fine" of about $300, using untraceable payment mechanisms such as Paysafecard or uKash.

The discovery of Koler.A comes 18 months after researchers from Symantec found that so-called ransomware extorts an estimated $5 million a year from users of traditional PCs. Ransomware refers to malware that disables computers and demands that cash payments be paid to purported law-enforcement agencies before the machines are restored. More recently, ransomware scammers upped their game by building strong cryptography into malware, known as Cryptolocker, that holds entire hard drives hostage until end users pay a Bitcoin ransom of $300.

The functions in Koler.A have been obfuscated to slow down the process of analyzing exactly how the malware works. Still, there's no evidence that the malware encrypts any files on a phone's storage.

"The ransomware's main component is a browser view that stays on top of all other applications, Bitdefender Senior E-Threat Analyst Bogdan Botezatu wrote in an e-mail. "You can press Home and go to the homescreen, but a timer would bring it back on top in about 5 seconds. I managed to uninstall it manually by swiftly going to applications and dragging the icon on the Uninstall control, but it only works if the application icon is on the first row. Otherwise, one wouldn’t have the necessary time to drag it to the top, where the uninstall control is located."

The malicious Android Package is automatically downloaded when people visit certain pornography sites using an Android phone. The sites then claim that the APK installs a video player used for premium access. To be infected, a user must change Android settings to allow out-of-market apps and then manually install the APK. The social engineering trick has already claimed at least 68 victims in the past six hours—40 in the United Arab Emirates, 12 in the UK, six in Germany, five in the US, and the rest in Italy and Poland.
Koler.A is another reminder that Android users are quickly being targeted by the same malware and social engineering attacks that have plagued Windows users for years and more recently have started migrating to those using Macs. People should remain highly cautious when downloading Android apps, especially those available from sources other than the official Google Play Store.