Koler worm’ latest variant is the latest Android ransomware in town
AdaptiveMobile has detected a all new variant of the Koler worm. The emergence of this worm was detected by AdaptiveMobile on on 19th Oct, 2014. Whats different about this new variant of Koler worm that it now spreads through SMS text message and holds infected users’ phones hostage until a ransom is paid.
AdaptiveMobile stated that the latest variant of Koler worm is very active in the wild and has blocked thousands of messages from hundreds of infected Android smartphones and tablets. AdaptiveMobile also detected that the all new Koler was spreading all over the world through SMS messages but most of the victims discovered so far are in the United States. AdaptiveMobile blog states,
Koler is a piece of malware that blackmails users of infected phones by blocking screen with an intimidating fake law enforcement notification page, and scares the victim to pay a “fine” to unlock their phone. This type of malware was first spotted in May this year blackmailing victims on Android devices. In July new reports suggested a new version that can also target PC’s.
This latest variant of Koler works by sending an SMS message with a bitly link stating that an account with the user’s photos has been created. Bitly is a URL shortening service which sends shortened links to user for the URLs. It has been used earlier for this kind of phishing attacks because of its innocuous looking link.
The attack starts with the victim receiving an SMS message from a phone number of someone they know, which states:
someone made a profile named -Luca Pelliciari- and he uploaded some of your photos! is that you? https://bit.ly/xxxxxx
AdaptiveMobile says that a similar modus operandi was used in the Facebook scam in February this year. Therefore its quite possible that both malware authors are one and same guy or group or the malware author decided to use this text as they believed that it is good text content to ‘hook’ unsuspecting receivers of the message into clicking on the link.
Upon clicking the bitly link, the potential victim is re-directed to a Dropbox page where the malware is hidden in a “PhotoViewer” App.
Once it is clicked and installed, the malware blocks the user’s screen with a fake FBI page, which says the device has been locked due to pornographic or other inappropriate content. The user can “wave the accusations” by paying a fine using a Money Pak Voucher.
AdaptiveMobile says that is a pretty much rehashed version of koler, the earlier versions of which used to hide in mostly NSFW websites and targeted adults.
“This attack combines the techniques we have seen with worms like Selfmite with a traditional Android ransomware attack,” said Cathal Mc Daid, Head of Data Intelligence & Analytics at AdaptiveMobile. “Spreading the worm by SMS makes it more effective as people are more likely to respond to a link sent by someone they know.”
First and foremost, users should use their prudence and discretion while installing any App or unofficial APK. Suspected APKs should never be installed.
However if you have already been made a victim by Koler, you should not authorize any payment. The malware can be removed through rebooting their smartphone and starting it in ‘safe’ mode. From the ‘safe mode’ option uninstall the ‘PhotoViewer’ App.
Once it is removed, your Android device should restore itself to its original state as before.