Android Outbreak: Koler ransomware has learned how to worm

With last week’s appearance of a new, wormable variant of Selfmite, it now appears that the makers of Android malware have found a new favorite propagation technique. This Tuesday, reports indicated the emergence of a new strain of the Koler Police Locker ransomware that also spreads by spamming every single person in your contacts list, through SMS.

How does Koler get on your Android?

When Koler first emerged it was only capable of infecting users through third-party apps proffered by shady porn sites. Now, the malware can also worm by automatically sending an SMS message to every single person on an infected device’s contact list. This message contains a malicious shortlink that leads to a Dropbox page hosting the malware, disguised as a “Photo Viewing App.” Users who install the app become infected.

What happens when you’re infected?

Reports indicate that once Koler is installed it locks the Android’s screen with a fake FBI webpage, which accuses the user of viewing child pornography and zoophilia. The user is then told that in order to unlock the screen, they must pay a ransom through MoneyPak. At some point, Koler will also perform its worm behavior and spam all contacts on the infected device with the malicious link, in order to continue the cycle of infection.

How can I keep my Android ransomware-free?

If your device has become infected with Koler, do not pay the ransom!

Unlike other forms of Android ransomware, this wormable Koler variant DOES NOT encrypt your files; it merely locks your screen. You can actually remove the malware by rebooting your device in Safe Mode and deleting the “Photo Viewing App” that was downloaded via Dropbox. Readers who require assistance with this process are encouraged to contact Emsisoft Support.

For additional protection against Koler and other forms of wormable Android malware, you can also consider Emsisoft Mobile Security, which automatically prevents infection from such threats. On top of this, simply avoid clicking mysterious shortlinks, even when they come from friends – especially if those friends are known to frequent some of the… more questionable parts of the web ;)

Have a great (ransomware-free) day!

For additional information on Koler, see this article from Tech World by John E. Dunn.