The Koler "Police" ransomware infected more than 200,000 Android devices before being shut down in July, according to Kaspersky Labs.
Kaspersky reported that the Koler ransomware infected far more machines than first thought, in its Koler - The ‘Police' ransomware for Android threat report.
"During our analysis, we discovered that the infrastructure behind the distribution and infection process was far more complex than expected. The mobile infection is triggered when the user visits specific pornographic sites. Those sites are part of the distribution network created for this campaign," read the threat report.
"All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK. When visited, the website automatically redirects the user to the malicious application."
The firm said that more than 200,000 Android devices connected to the infected server and were potentially infected with the malware.
The US and UK were listed as the worst hit. Kaspersky reported detecting 146,650 US and 13,692 UK connections between April and June.
Kaspersky added that the criminal network appeared to have a second early functionality that could be used to mount attacks on Windows PCs as well as Android devices.
"Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again according to several conditions. This second redirection could be to a malicious Android application, browser-based ransomware or to a website with the Angler exploit kit," read the threat report.
"In this final case, the exploit kit was not fully operational and we were unable to obtain its payload. However, the attackers used an API armed with the exploit kit to retrieve their landing sites."
The researchers added the criminals' advanced network could be used to mount fresh attacks targeting a variety of groups in the very near future. "With regards to the malicious mobile application, we have found different APKs [Android application packages] with the same behavior," read the report.
"Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk. This suggests the attackers could expand their campaign in the near future."
The Koler ransomware was first uncovered by security researcher Kaffeine in May and was initially believed to be fairly basic.
"[The ransomware] blocks the screen of an infected device and requests a ransom of between $100 and $300 in order to unlock the device," explained Kaspersky researchers. "It doesn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen."
Prior to Kaspersky's findings the malware has largely been ignored since 23 July when the mobile part of the campaign was disrupted and the campaign's command-and-control (C&C) server was set to send "uninstall" requests to victims.
Ransomware is an ongoing problem for law enforcement and businesses. Microsoft reported the number of cyber attacks using the infamous Reveton ransomware doubled over the past year in May.
Are you paying attention?
Private equity firm Permira only acquired Magento from eBay for $200m three years ago
Before robots can take over from humans, we need more humans
It's not easy not being evil