Koler worm spreads via SMS, holds phones for ransom

A new variant of the Android malware Koler now spreads by text message and holds infected users’ phones hostage until a ransom is paid.

AdaptiveMobile detected the emergence of the worm on October 19th, and has blocked thousands of messages from hundreds of infected phones. The attack is occurring worldwide, but the majority of the infected phones are in the United States.

This new version of Koler works by sending an SMS message with a bitly link stating that an account with the user’s photos has been created. The user is re-directed to a Dropbox page where the malware is hidden in a “PhotoViewer” app.

Once installed, the malware blocks the user’s screen with a fake FBI page, which says the device has been locked due to pornographic or other inappropriate content. The user can “wave the accusations” by paying a fine using a Money Pak Voucher.

This a new approach for Koler, which used to hide on pornography sites, and is now using SMS and the wording of a well-known Facebook scam to entice users to install it.

“This attack combines the techniques we have seen with worms like Selfmite with a traditional Android ransomware attack,” said Cathal Mc Daid, Head of Data Intelligence & Analytics at AdaptiveMobile. “Spreading the worm by SMS makes it more effective as people are more likely to respond to a link sent by someone they know.”

If users suspect they are infected, they should not authorize any payment. Rather, they should remove the malware by rebooting their phones in “safe” mode, and then uninstall the PhotoViewer. Users should also remember to install only apps that come from a trusted source.