Ransomware using phoney RCMP warning has been detected

Canadians like to think of themselves as largely on the sidelines of major cyber attacks. However, this year we’ve seen at least one banking attack targeting us. Now comes word that mobile ransomware has been tailored to Android users here. It’s another warning that downloading apps from anywhere other than the Google Play store — unless its a highly reputable site — is dangerous.

Appthority, a San Francisco-based application risk analysis provider, said Monday that a person or group leveraging the Koler ransomware that takes over user mobile devices has fashioned an attack aimed at Canadians who visit porn sites. The payload is delivered by a movie viewer users are asked to download. The sites can detect what country visitors come from and delivers a viewer with one of two malware packages. Like any ransomware, after installation the malware falsely notifies the victim that their device has been found to contain illegal content, so the device owner has to pay a fine.

The twist is it includes a warning screen claiming to be from the RCMP. Until now the Koler campaign has used a phoney warning from the FBI.

Fig 1.2

(Images from Appthority)

To ensure that device owners don’t panic and throw it away or completely disconnect from the network, the notification includes warns that information from the device has already been uploaded and any attempts to dispose of the device would be futile, says Appthority.  The user’s device is locked and the user is then asked to pay a fine (ransom) in order to unlock their device.

In an interview Tuesday company founder and co-president Domingo Guerra said its threat research team began seeing evidence of the Canadian-targeted threat about two and a half weeks ago.

Those behind the Koler ransomware appear to be from Eastern Europe, he said, but the company can’t say if its one group.

He couldn’t say how many devices have been infected with the Canadian version of the ransomware. One problem is those infected are likely reluctant to notify security vendors or police because they’d have to acknowledge going to a porn site.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web