Koler Ransomware Using Fake Adult-Themed Apps to Infect U.S. Android Users

Posted on June 26, 2017
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack
Koler ransomware is masquerading as fake adult-themed apps to infect unsuspecting Android users based in the United States. An infection begins when a user visits a suspicious adult-themed website. The attack campaign says the user must download an app for a popular adult site to view their desired content. But the app is a fake. Catalin Cimpanu of Bleeping Computer explains the nefarious deeds of the app:
"Here, the fake... app would ask the user to allow the continuation of the installation process but would hijack the user's tap and grant itself admin rights. This method, known as clickjacking, is quite common in today's Android malware landscape."
With its newfound administrator rights, the app activates Koler, an Android-based threat which first appeared in 2014. Koler is known for displaying a police-themed message on infected devices that tells victims they must pay a fee for viewing pornographic content. Detected by ESET security researcher Lukas Stefanko, this campaign is no different.
Koler-ransom-note.jpg
Koler's fake police notice. (Source: Bleeping Computer) Koler's incorporation of the FBI into its notice means this offensive is likely targeting U.S. users. As seen in the image above, it demands US$500 from its victims. To protect themselves against this campaign, Android users should follow some basic mobile security principles. First, they should think carefully about which sites they want to visit. Second, they should exercise caution around downloading any type of file from an unknown source found on the web. Third, they should never allow app installations from unknown sources; they should only download programs from trusted developers on Google's Play Store. In the event they suffer a ransomware infection, users should do everything in their power to not pay the ransom. That includes looking up ways to decrypt their files for free. For instance, victims in this campaign can remove the Android ransomware by booting their device into Safe Mode, removing the fake app's administrator rights, and deleting the app. Android users should also back up their devices' data on a regular basis and follow some of these ransomware prevention tips.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!