New Mobile Malware Threat (And Solution)


Staff member
Mar 24, 2011
Bob Rankin 10:23 AM

New Mobile Malware Threat

A well-known predator named “Koler” has ramped up its game from “drive-by download” to “self-replicating virus,” accelerating the spread of this ransomware from one smartphone to all its owner’s contacts. Read on to learn about a secret feature that will zap this and other mobile malware apps...
Got Koler Mobile Ransomware? Don’t Panic!
Regular readers of this site may remember my article about Cryptolocker, a desktop malware menace that locks your computer, scrambles your files, and demands payment to restore access.

Likewise, Koler is mobile malware targeting Android smartphones and tablets, which extorts ransom from its victims, telling them their data has been encrypted and the key will cost money.

But don’t panic. Koler is mostly bluff, a serious nuisance, but one that’s essentially toothless and easily banished if you know a little “secret” about Android that even I wasn’t aware of until recently. (Be sure to see my rant below about "unknown sources" too...)


Koler has been known to security researchers since May, 2014. In its original form it seized control of an infected Android device, freezing everything and displaying a screen that demanded payment for unlocking the device. Koler infected Android devices by the classic “Trojan horse” ploy, masquerading as a benign app available for free download on numerous Web sites. But now it’s self-replicating, and that changes the game dramatically.

When the new Koler infects a device it still does its “stand and deliver” ransomware thing. A scary-looking image blocks your screen, pretends to be a message from the FBI, accuses you of viewing and/or storing vile materials on your phone, and demands payment in lieu of prosecution.

But also, it’s busy in the background sending text messages to all of the contacts stored on the infected device. It tells your friends, family, and associates that you have posted photos of them online and provides a link to the page where they can view themselves. That page, of course, has no photos but only a link that will trigger the downloading and execution of Koler on the new victims’ devices.

Time to Panic?
Denis Maslennikov, a security analyst with AdaptiveMobile, told TechNewsWorld, "This is the first time we've seen self-replicating ransomware on Android." Time to panic, right?

First, Koler (and almost ALL other Android malware that I'm aware of) can be installed ONLY if the user has modified their settings to specifically allow software to be installed from "unknown sources," which means sources other than the official Google Play Store. Click on Settings, then Security on your device. (On my Samsung Galaxy, I have to tap "More" to find the Security option under Settings.)

The factory setting for "Unknown sources" is OFF, and it should stay that way, unless you absolutely must install a trusted app from a third-party source. In such a case, remember to turn this setting back to OFF after allowing the install. It irritates me to no end that tech writers, researchers and security analysts (who should know better) almost NEVER mention this very important fact.

Here's a second reason not to panic. Even if you do take the bait, your data is not encrypted; that’s a bluff. It won’t be wiped out forever if you don’t pay the ransom. You can access all of your data as usual and eradicate Koler if you know about Android’s semi-secret “reboot to safe mode” feature. I've been using Android phones for years, and I didn't learn about this until recently.

Most tablet and smartphone users don’t know about safe mode. They assume the only way to get rid of Koler is to do a factory reset, which wipes out all user data entered since the phone was activated. But in safe mode, all third-party apps are temporarily disabled, including Koler. Then you can use Android’s built-in uninstall tool to remove “Photoviewer” -- the alias used by Koler. When you reboot again in normal mode, Koler will be gone.

To uninstall an app on your Android device, first open Settings, then Apps or Application Manager. (You may have to click the More tab to find it.) Tap the app you’d like to uninstall, then tap the Uninstall button. And poof, the stain's gone in the first wash!

How to Use Android's Safe Mode
If your device is ON: Press and hold the power button until the menu appears. Next, tap AND HOLD the Power Off button for a second or so, until the "Restart in Safe Mode" menu appears. Tap the "Turn On Safe Mode" button.

If your device is OFF: Press and hold the power-on button. As soon as the first screen or logo appears, press and hold the volume-down button simultaneously when restarting. On some devices, you'll need to press and hold BOTH the volume-up and volume-down buttons at once. On others, you need to press and hold the menu button. If that doesn't do the trick, search online for device-specific instructions on rebooting in safe mode.

When your device starts up in Safe Mode, you'll see "Safe Mode" in the lower left corner of the display. No third-party apps will be loaded when you start up in Safe Mode, nor will they appear on your Home screens. Restarting your phone normally will get you out of Safe Mode.

So Koler, the latest Android malware scare, is nothing to worry about if you follow my tip about not installing apps from unknown sources. And even if you or a friend does fall for this or a similar trick, now you know what to do.