• ESET: a variant of Android/Koler.A trojan (More)
  • Kaspersky: HEUR:Trojan.AndroidOS.Koler.a

Category: Ransomware

  • This is a threat.
  • Can cost money.
  • May be a privacy threat.
  • Potentially unwanted behavior.


CryptoLocker was formally a PC only form of malware. Recently CryptoLocker was discovered on the under-web being advertised as malware-for-hire with additional new capabilities, including the ability to operate on the Android platform.

CryptoLocker is distributed by a website claiming to be affiliated with several different government defense agencies (FBI, CIA, Netherlands Cybercrime Police, ETC). These websites are likely visited as pop up advertisements from unseemly pornographic websites. When visited on an Android device the criminal websites push an automatic download to the device, the file downloaded is the android CryptoLocker file.

The CryptoLocker file must be manually installed. This is a great example of why you should never install an application that you did not actively search for, if the application found you and downloaded itself, steer clear. The installation process is like any other third party install, the application uses an innocuous icon to fool the victim and requests permissions that are relatively ordinary.


Once installed the CryptoLocker malware takes over the phone and displays a message stating the device has been locked by the police for viewing illegal media. The device files are no encrypted and inaccessible and a fine is being levied to return the device to working order.


The infected device is rendered unusable, the user can access the home screen but initiating any device activity (phone call, text message, browser, apps) will redirect the victim back to the CryptoLocker alert that states a fine must be paid to unlock the device.

To pay the ransom and regain access to the infected device the victims must purchase a pre-paid MoneyPak card for a value of $300 USD. The victim must then enter the card and PIN number into the ransomware to pay the “fine.”

This CryptoLocker variant is active in 31 countries including the US:

  • Austria
  • Australia
  • Belgium
  • Bolivia
  • Canada
  • Czech Republic
  • Denmark
  • Ecuador
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Mexico
  • Netherlands
  • Norway
  • New Zealand
  • Poland
  • Portugal
  • Romania
  • Spain
  • Slovakia
  • Slovenia
  • Sweden
  • Switzerland
  • Turkey
  • United Kingdom
  • United States

Once the ransom is paid the malware does in fact unlock the device, however this is a hefty price to pay for access to your own device.

Armor for Android recommends that users should avoid installing application that have been automatically downloaded by websites.

Armor for Android also recommends that this app or file be immediately uninstalled and deleted from the infected device.

Additional Details

Package Name:

First Detected:
May 2014

File Type:
APK (Android application package file)


WAKE _ LOCK (prevent phone from sleeping)
RECEIVE _ BOOT _ COMPLETED (automatically start at boot)
READ _ PHONE _ STATE (read phone state and identity)
INTERNET (full Internet access)

Repair Instructions

Users should be careful when downloading applications from third party Android markets.

Always review application permissions to make sure no unusual permissions are being requested.

Android users should only download applications from a trusted source.

We advise Android users to download and use antivirus software to keep their android device and personal information safe.

Armor for Android Uninstall:

  • Scan your device using Armor for Android
  • Click the Fix Now button
  • Select the threat from the scan results
  • Click the Uninstall button

Manual Uninstall:

  • Open the Android Menu
  • Go to Settings
  • Select Applications
  • Select Manage Applications
  • Select the infected application and click the Uninstall button

Android Malware Write-up By: James Green