Koler¶
Police-themed screen-lock ransomware discovered in 2014. Koler displayed geo-targeted fake law enforcement warnings on infected devices, demanding ransom. Distributed through a network of pornographic website redirects, it was connected to the Reveton ransomware operation that had previously targeted Windows users. The campaign reached nearly 200,000 victims, 80% in the United States.
Overview¶
| Property | Value |
|---|---|
| First Seen | April 2014 |
| Type | Screen-lock ransomware ("police locker") |
| Attribution | Connected to Reveton ransomware network |
| Aliases | Trojan.AndroidOS.Koler (Kaspersky), Trojan:Android/Koler (F-Secure) |
Distribution¶
Distributed via a network of pornographic website redirects. Victims visiting adult sites were redirected through dozens of automatically generated domains to a central hub serving the malicious APK (animalporn.apk). Required manual download and installation.
Capabilities¶
| Capability | Implementation |
|---|---|
| Screen lock | Full-screen browser window blocking device interaction |
| Geo-targeting | Customized lock screens impersonating local law enforcement based on victim's country |
| Scareware | Fake police warning claiming illegal activity detected |
| Data exfiltration | Collected IMEI and sent to C2 |
| Ransom demand | $100-$300 |
Koler did NOT encrypt files despite claiming to have done so. It was purely a screen locker using social engineering.
Geographic Distribution¶
| Country | Visitors | Percentage |
|---|---|---|
| United States | 146,650 | ~80% |
| United Kingdom | 13,692 | ~7% |
| Australia | 6,223 | ~3% |
| Canada | 5,573 | ~3% |
The campaign was disrupted on July 23, 2014, when the C2 server began sending "Uninstall" commands to victims.
Significance¶
Koler demonstrated that the "police locker" social engineering model worked on mobile. The porn-themed distribution network combined with fake law enforcement warnings exploited victims' reluctance to report the crime. The cross-platform campaign infrastructure (mobile malware + Angler Exploit Kit + browser ransomware) represented an early example of unified cross-platform operations.