New Rapidly-Spreading Android Ransomware Appears

According to a report from Adaptive Mobile, a new variant of Android-targeting ransomware has been spotted. The malware carries the name Koler and resembles other, similar types of ransomware we’ve seen before. With one key difference: This one spreads via SMS messages.

Here is the process:

  • You get a text message from a well known friend saying: someone made a profile  named -your name- and he uploaded some of your photos! is that  you? http://bit.ly/xxxxx
  • Of course, you start wondering why someone would make a profile with your photos and click on the link, after all, it’s a friend you know well
  • You’re taken to a Dropbox page where you can download “IMG_7821.apk” concealed as a PhotoViewer app needed to view your photos (this is an APK file with the malware)
  • You install it, and soon after, your screen is locked, with a picture of Obama and various agency logos telling you you’re “accused of viewing and storing of forbidden child pornography and zoophilia”
  • You now have an option waiving the charges by getting a Money Pak and sending the redemption code to the attacker to unlock the phone.

While the above is happening, there’s another process that takes place in the background: the ransomware sends text messages to all your contacts and the whole process repeats for your friends.

The malware is spreading rapidly as the bit.ly statistics suggest.

If you fall a victim to this attack, don’t panic, and surely do not pay the ransom, as you’re not guaranteed to have your phone unlocked. Try:

  • Doing a master reset via the recovery menu available on all Android devices before the phone boots (Ask a professional for help if you cannot find it in the manual)
  • Manually uninstall the APK via the Android SDK (for advanced users only – try searching at the XDA Developers forums for help)