Security firm Adaptivemobile has uncovered a new variant of the “Android.Koler.A” malware which is being called Worm.koler and is spread by text message.
The text messages typically read “someone made a profile named - (the contact’s name) and has uploaded some of your photos! is that you?” This will then be followed by a ‘bit.ly’ URL. If you click on the link you will be redirected to a file hosting service where you are encouraged to download an app called ‘Photoviewer”.
Once this app is installed, a pop up screen will appear stating that your device has been locked by the police and you must pay to unblock it.
Whilst this is happening on the screen, in the background, text messages are spammed out to all the contacts stored on your phone. The message is only sent once to make it appear more authentic.
The National Fraud Intelligence Bureau (NFIB) who issued the alert said it appears that this variant is currently being aimed at the US, as the pop screens are US based e.g. purporting to be from the FBI. It is likely that UK has already or is likely to be affected, but to date the NFIB has not received any reports detailing this type of ransomware.
What to do if your Android phone is infected
It is recommended that any victims of this ransomware complete a manufacture reset of their device and then reinstall their apps afterwards. This could cause a potential loss of data such as photos, if they have not already been backed up.
If the malware restricts you from getting into you phones settings, put the phone into safe mode (please refer to your phones instruction manual) and remove the app. Once this is done, perform a complete reset of your phone.
It is also recommended that if you are unsure about any messages containing a link do not click on them, and think about contacting the sender for verification that they intended to send you the message.
It is important to remember only to download apps from a reputable source such as Google Play Store.
If you’ve lost money or information or your computer/smartphone has been taken over by a phishing or malware attack report it to Action Fraud.