Koler ransomware new version spread via SMS
Koler.A is a form of Android ransomware that was first identified in May 2014. The initial version of the Koler malware would lock a victim’s phone with a message ordering the victim to pay $300 USD ransom to unlock the phone. A new version of Koler has now been identified that is propagated via text messages.
The new version of Koler (as reported by Adaptive Mobile) sends a text informing the recipient that a profile has been created with some of their photos. The message also contains a bit.ly link where the user can view the photos.
The bit.ly link leads to a Dropbox page where the user is prompted to download an application called “PhotoViewer”. The application, once installed, locks the victim’s phone screen with a bogus FBI warning page. The warning page states that the device has been locked due to the user accessing pornographic or other inappropriate material. The victim is offered the choice to pay a fine to unlock the phone via a Money Pak voucher.
Propagation via text message is being used to speed up the infection rate of this variant of Koler. A recipient of a message may see the text is from a friend, and hence will be more likely to view the message. Koler performs one pass through the victim’s phonebook; it does not encrypt files. Dropbox were notified of the malware and have now removed the file. The bit.ly link has also been removed. Adaptive Mobile have stated that they are “blocking the message” on their networks.
It is strongly recommended not to pay the fine for this (and any other) ransomware; paying a fine to the attackers encourages further attacks with other versions of ransomware. Adaptive Mobile has suggested that if your phone is infected, reboot the phone into safe mode and uninstall the PhotoViewer app using the Android uninstall tool.