Koler worm’ latest variant is the latest Android ransomware in townModus OperandiRemoval
AdaptiveMobile stated that the latest variant of Koler worm is very active in the wild and has blocked thousands of messages from hundreds of infected Android smartphones and tablets. AdaptiveMobile also detected that the all new Koler was spreading all over the world through SMS messages but most of the victims discovered so far are in the United States. AdaptiveMobile blog states,
Modus Operandi
This latest variant of Koler works by sending an SMS message with a bitly link stating that an account with the user’s photos has been created. Bitly is a URL shortening service which sends shortened links to user for the URLs. It has been used earlier for this kind of phishing attacks because of its innocuous looking link. The attack starts with the victim receiving an SMS message from a phone number of someone they know, which states: AdaptiveMobile says that a similar modus operandi was used in the Facebook scam in February this year. Therefore its quite possible that both malware authors are one and same guy or group or the malware author decided to use this text as they believed that it is good text content to ‘hook’ unsuspecting receivers of the message into clicking on the link. Upon clicking the bitly link, the potential victim is re-directed to a Dropbox page where the malware is hidden in a “PhotoViewer” App.
Once it is clicked and installed, the malware blocks the user’s screen with a fake FBI page, which says the device has been locked due to pornographic or other inappropriate content. The user can “wave the accusations” by paying a fine using a Money Pak Voucher. AdaptiveMobile says that is a pretty much rehashed version of koler, the earlier versions of which used to hide in mostly NSFW websites and targeted adults.
Removal
First and foremost, users should use their prudence and discretion while installing any App or unofficial APK. Suspected APKs should never be installed. However if you have already been made a victim by Koler, you should not authorize any payment. The malware can be removed through rebooting their smartphone and starting it in ‘safe’ mode. From the ‘safe mode’ option uninstall the ‘PhotoViewer’ App. Once it is removed, your Android device should restore itself to its original state as before.