According to the Ars Technica report the 'ransomware', dubbed Android-Trojan.Koler.A, uses the infected phone's geolocation functions to tailor a false security warnings to whatever country a victim happens to reside in. The screenshots, originally obtained by Bitdefender, shows the malicious software invoking an FBI warning which is the notice that's displayed on infected phones connecting from a US-based IP address.
|Android Ransomware via Ars Technica|
"The ransomware's main component is a browser view that stays on top of all other applications, Bitdefender Senior E-Threat Analyst Bogdan Botezatu wrote in an e-mail to Ars. "You can press Home and go to the homescreen, but a timer would bring it back on top in about 5 seconds. I managed to uninstall it manually by swiftly going to applications and dragging the icon on the Uninstall control, but it only works if the application icon is on the first row. Otherwise, one wouldn’t have the necessary time to drag it to the top, where the uninstall control is located."
The malicious Android software is automatically downloaded when users visit unspecified pornography sites using their Android phones. The site side-loads an APK file claiming to be video player used for premium access. To be infected, a user must change Android settings to allow out-of-market apps and then manually install the APK. According to the report the social engineering trick has already claimed at least 68 victims in the past six hours—40 in the United Arab Emirates, 12 in the UK, six in Germany, five in the US, and the rest in Italy and Poland.