Miscellaneous 4 min. read

How the Koler Android Ransomware Can Spread Through Text Messages

Since October 2014, security firms have tracked and attempted to combat a new, insidious computer virus that has spread at frightening speed, especially in the United States.

Known as the Koler virus, the ransomware Trojan worm has been a dubious foe for security firms to contain. Due to its screen-locking ability and its ability to access an individual’s Android mobile device information, the Koler virus is a frustrating and highly infectious variant of malware.

However, education and setting up prudent security measures on an Android device can combat this new form of malware.

What Is Ransomware?

True to its namesake, a ransomware virus locks an individual’s computer and demands a ransom before returning it to proper functionality. In almost all cases, ransomware takes the form of a persistent window that hinders an individual’s ability to navigate their device, whether it’s a computer or phone. Since individuals can no longer navigate their devices, they cannot deactivate the malware through an app manager — or by any other method. Not until a ransom is paid.

Ransomware is not a new phenomenon. Unfortunately, ransomware’s effectiveness makes it popular among scammers, and an increasing number of people are falling victim to paying these ransoms. Typically, the persistent window that seizes the computer takes the guise of a legitimate organization, such as local law enforcement, giving the individual a cause for concern.

Most often, and in the case of the Koler virus, individuals are “fined” for viewing illicit content. To waive the accusation, the individual must pay the “fine” before the computer’s normal functioning is restored. This “accusation waiver,” of course, is the crux of this scam.

The Appearance of the Koler Android SMS Worm

In October 2014, malware researchers began noticing the Koler Android SMS worm as a variant of typical Trojan ransomware. Like most ransomware, the Koler virus locks the screen with an incessant window under the guise of a legitimate local law enforcement message. Distributed through porn (and other illicit) sites by clicking on seemingly normal apps, the Koler virus accuses the user of viewing child pornography, and the message asks the individual to pay their “fine” using a MoneyPak prepaid card.

So far, researchers have found that the Koler virus has the ability to mimic local law enforcement in 30 countries. In the United States, the Koler virus impersonates the FBI. Although such ransomware is disruptive, the nature of the virus has been localized to one device and, historically, only distributed through clicking a faux application online.

In addition, ransomware has been generally limited to the PC world and is a relative newcomer to mobile devices. This is due, in part, to the file restrictions in mobile operating systems, which limits the ability of apps to control the entire system. However, the Koler Android virus has learned to access the entire system, including all media and contacts in the address book of the compromised device. In other words, the Koler virus is a variant of ransomware with the ability to self-propagate through an infected device’s address books.

Opening a Can of SMS Worms

Unfortunately, the Koler virus’s ability to access an entire Android system includes contacts and SMS messages, which allows it to self-propagate to an infected user’s contacts in the form of SMS messages. Contacts receive a shortened bit.ly URL to a Dropbox location with a “PhotoViewer” app.

The application package file is called IMG_7821.apk — this is what makes the Koler virus a worm and a new variant of ransomware. If the unsuspecting user downloads the application, the persistent screen appears with the fake law enforcement message, demanding a $300 ransom for viewing illicit content.

The Infectious Nature of the Koler Virus

Of the 30 countries infected by the Koler worm virus, the United States accounts for three-quarters of infected devices, and a large portion of infected Android devices have been tracked throughout the Middle East. In addition, the Koler malware has been tracked on many major United States phone carriers. The rapidly spreading nature of the virus is due to one major component of its mechanism — its ability to access all the contacts of a compromised device and send a SMS message, at one time, to all contacts in the address book.

The SMS message reads “Someone made a profile named -[the contact’s name]- and he uploaded some of your photos! is that you?” Obviously, unsuspecting victims in the address book are more trusting of a message sent by a friend, family member, or acquaintance. Although a typical person may be wary of downloading apps from a seedy pornographic website, he or she may not think twice about reacting to a seemingly harmless message.

How to Protect Your Android Device

First things first: If users suspect that their Android devices have become infected, they should never pay the ransom. Paying the ransom certainly does not guarantee that a device will be restored to normal functioning. It also encourages cyber crime and perpetuates these types of scams.

Although the Koler virus is insidious in its ability to spread, it does not encrypt files, meaning that it’s relatively simple to remove from a mobile device. In fact, the Koler virus can be removed by following two basic steps. First, a user needs to reboot his phone in Safe Mode. Once the device is in Safe Mode, the user can remove the infected “PhotoViewer” app using the standard Android uninstall function.

Users can also set their Android security settings to completely remove the threat of infection. By simply turning off the “Unknown Sources” option in the security settings menu, users will not be able to install applications from unknown sources. They must download applications from the official Google Play store found on Android devices.

Currently, mobile security firms are working with law enforcement, Dropbox, and bit.ly to eradicate the Koler worm virus. Although its ability to access contacts in Android devices and its distribution mechanism are both alarming, the virus can be contained through education and applying effective security measures. Android users are encouraged to remain vigilant and think twice about clicking on any suspicious links in the text messages they receive.

Get the latest stories and tips from Hotspot Shield in your inbox