Recently, a new Android threat named Android.Koler has begun popping up in the news. According to an article by ARS Technica, it reacts similar to other pieces of ransomware often found on Windows machines. A popup will appear and state “Your Android phone viewed illegal porn. To unlock it, pay a $300 fine”. This nasty little piece of malware is infecting people who visit certain adult websites on their phone. The site claims you need to install a video player to view the adult content. Although I can’t say for sure since I haven’t seen the malicious sites, I’m guessing there is a nice walk through on how to allow the installation of apps from unknown sources, or anything not in the Google Play store.
If you have Webroot SecureAnywhere® Mobile installed, it will detect Android.Koler on the internal storage if you run a scan before installing or after you open the app to install it. If you didn’t have SecureAnywhere Mobile installed, things are going to get a bit trickier. The app will open itself very often, so when you press the home button and try to install WSA, or do anything else, it’s near impossible before the screen of shame pops back up. The app claims you are viewing banned/illegal adult content. It then demands you pay a fine of $300 to unblock your device, or it will remain blocked on top of facing felony charges; which, of course, is false. A researcher at BitDefender claims he was able to quickly uninstall the app before it popped back up, but I was unsuccessful with this myself. This is the screen that keeps popping up, and icon you should be looking for:
There is a legitimate “BaDoink” app, which uses the same icon however. This will make it tricky if you’re hoping to get the real version.
What should you do if this happens to you? Many manufacturers have a built-in “safe mode” on their devices’ version of Android. With a little bit of searching on the internet using your device’s model and “safe mode”, you may be able to find instructions on how to get there on that particular device. For example, “Motorola Droid 4 Safe Mode” was all it took to find instructions for the Droid 4 phone.
Once booted into safe mode, you will able to uninstall the malicious app easily because safe mode stops any non system apps from starting on boot up. Once this is done, power off the phone and power it back on to get out of safe mode.
To ensure preventative protection, installing security software such as Webroot SecureAnywhere® Mobile will prevent these issues before they even happen.