Koler ransomware locks US Android cell phones

Android_DeadUS mobile security firm AdaptiveMobile has identified a worm version of Koler that infects its first victims from porn sites. As the Android OS touches 85% of the market share in terms of handset sales, the threat posed by SMS worms should not be underestimated.

The Koler worm sends a bit.ly URL to the contacts it finds in the victim’s contact address book in the hope of spreading further. The text generated lures people to click on the link:

Someone made a profile named – Luca Pelliciari  – and he uploaded some of your photos! is that you?”

Users who follow the link are redirected to a Dropbox page that asks them to install a photo viewing app. Android’s default security setting forbidding third-party downloads should refuse the installation as long as it hasn’t been deactivated by the user.

If the installation is successful, however, ransomware blocks the user’s screen with a fake FBI page, which states the device has been blocked because it contains illegal forms of pornography. After locking the screen in ways that are difficult to overcome unless the user boots into safe mode, victims are asked for a MoneyPak ransom. The worm’s tactics are similar to another example of live Android malware, the Selfmite worm discovered in June, which has become more active recently.

According to the recently published results of the Mobile Cyber Threats survey carried out by Kaspersky Lab and INTERPOL between August 2013 and July 2014, every fifth Android-based device protected by Kaspersky Lab security solutions was attacked by malware at least once during the reporting period.

Kaspersky says that in the 12 month period, over 1,020,000 Android cell users across the globe encountered more than 3,400,000 malware attacks. That was six times more than in the previous one and a half years when records were kept.

ESET advises US Android users: boot into safe mode

Mark James, security specialist at ESET, an IT security company headquartered in Bratislava, Slovakia, explains how the Koler SMS-Trojan attack works and how to get rid of it:

The natural progression from desktop to mobile device for ransomware was going to pick up momentum at some point and sure enough, we are seeing more and more cases of malware on the mobile platforms (Android). The biggest factor in this is people’s assumption that they are safe on a mobile.

In this particular case, an SMS is used for the initial contact – which in itself can lure a level of trust that emails do not have – if the masked (truncated) link is followed by a page that will display some kind of tasty treat for free (that may include a free service or free app) which once installed will contain the malware, ransom screens are then presented on your device with no apparent way to get rid of them.

Removing these type of infections is often very simple and can be done by either booting into safe mode (internet searches will often yield many results on how to do this yourself) and uninstalling the offending application (or the last installed app if you don’t remember the name) or as a last resort, factory resetting the device and restoring from your last good backup (maybe 1 or 2 days prior to be safe). The best advice I can give here is DO NOT install any apps from third party websites or links, both Apple and Google Play are by no means 100% safe but they are a lot safer than using a random website to install apps.”

59.06% of malware detections related to programs capable of stealing money and about 500,000 cell users worldwide have encountered malware designed to steal money at least once.

Trojans like Koler designed to send SMSs were the most widespread malicious programs in the 2014 reporting period. They accounted for 57.08% of all detections. The number of modifications for mobile banking Trojans increased 14 times over 12 months, from a few hundred to more than 5000.

To read the full report, see:


Subscribe to the IT Governance blog for updates on this story

[email-subscribers namefield=”YES” desc=”” group=”databreachupdates”]