Koler Android Ransomware spread itself via SMS messages

Pierluigi Paganini October 26, 2014

The security firm AdaptiveMobile has discovered a new variant of Koler ransomware is capable of self-replication via SMS messages.

A new strain of the Koler Android ransomware is threatening the mobile industry, the new variant spreads itself via SMSs and holds the victim’s device phone hostage until a ransom is paid.

The Koler ransomware were detected by experts at Kaspersky Lab in July, the researchers issued a report on the malware explaining that it was targeting targeting both Android devices and desktop browsers.

The first variant of the Koler Android ransomware was observed in May when the Trojan was spread through certain pornographic websites under the guise of legitimate apps.

Implementing a classic extortion scheme  locks the victim’s device display and then requests money from victims. The malware displays fake notifications from law enforcement agencies that accuse victims of viewing and storing child pornography.

Security experts from mobile security firm AdaptiveMobile have discovered a new variant of the mobile malware Worm.Koler that allows the malicious code to spread via SMS, sending shortened bit.ly URL.

Koler Android Ransomware SMS

The security firm has already observed thousands of messages from hundreds of infected phones, mainly located in the US.

“the Android malware Koler, which now spreads by text message and holds infected users’ phones hostage until a “ransom” is paid. AdaptiveMobile detected the emergence of the worm on October 19th, and has blocked thousands of messages from hundreds of infected phones. The attack is occurring worldwide, but the majority of the infected phones are in the United States.” states the blog post published by the company.

Koler Android Ransomware GEO

The attack scenario is very interesting, the Koler worm sends an SMS message with a bitly link stating that an account with the user’s photos has been created. To spread itself, the koler worm first sends an SMS message to all contacts in the mobile’s address book with a text stating:

Someone made a profile named -[the contact’s name]- and he uploaded some of your photos! is that you?” followed by a Bitly link.

The victim is re-directed to a DropBox folder containing a “PhotoViewer” app trojanized with the malware. Once installed, the maclious app locks the victim’s devices requesting the payment of a fee to unlock it.

“Once installed, the malware blocks the user’s screen with a fake FBI page, which says the device has been locked due to pornographic or other inappropriate content. The user can “wave the accusations” by paying a fine using a Money Pak Voucher. This a new approach for Koler, which used to hide on pornography sites, and is now using SMS and the wording of a well-known Facebook scam to entice users to install it. ” states the post The device appears to be completely locked down with the screen on the phone blocked, so the user won’t be able to close the window, or deactivate the malware through the app manager,” reads the blog post. “The victim is forced to buy a voucher as instructed on the blocking page, and send the voucher code to a malware author.”

The experts noticed that the code of Worm.Koler is internationalized, it is able to display localized messages to victims.

As usual I strongly suggest to infected users to not pay any ransom because there is no guarantee to free the mobile from the threat. Another risky behaviour for mobile users is the enable the “Unknown Sources” option in Android device security settings menu. Enabling the option users can install applications from unknown sources, a behaviour that could allow malicous code download from unofficial stores to infect the device.

Koler does not encrypt users’s files, for this reason it is easy for users to eliminate it from infected devices. Below the instructions to remove the malware:

  • Reboot the mobile device in the “Safe Mode
  • Remove the malicious ‘PhotoViewer‘ app using standard Android app uninstallation tool

Pierluigi Paganini

Security Affairs –  (Koler, ransomware)

you might also like

leave a comment