OFFICIAL SECURITY BLOG

Difficulty removing Koler Trojan or other ransomware on Android?

May 7, 2014 | BY

A new Android ransomware dubbed Koler has been spreading as a fake adult themed streaming service ‘BaDoink’ app.

Uncovered by security researcher Kafeine, Koler uses familiar “Police Locker” tactics to get victims to pay a ransom for unlocking their PC or device.

Traced back to the team that brought us the Reveton ransomware, Koler uses FBI and other police agency symbols to look legitimate, as well as carefully crafted text.

akoler04b

While your files and other data are not encrypted by Koler.a, the annoying browser page takes over as the active window.

Koler is delivered with site redirection, once installed and running the device is taken over by the ransom browser page, pressing the Home button or attempting to dismiss the page works for a very short time. The page will reappear when you attempt to open another app or within a few seconds.

This causes removal problems because you don’t have enough time to uninstall through normal methods.

Removal
The good news is you don’t have to pay the ransom to remove.

First off, Malwarebytes Anti-Malware Mobile detects as Android/Trojan.Koler.a and will prevent and remove this Trojan on your Android device.

However, at times there are race conditions where Koler’s page is up and has control of the screen or you might not have a security tool installed.

You can try the traditional method of going to the app tray and dragging the icon to the Uninstall/Remove area, but you have a limited amount of time before Koler resurfaces.

koler05

Safe Mode
The quickest manual solution would be to use Android’s Safe Mode, similar to Windows, Safe Mode is a diagnostic environment where third-party apps won’t load and you can remove.

Anyone see a theme here?

This slideshow requires JavaScript.

Booting to Safe Mode
Because of various Android updates and different device/carrier flavors I’ll provide two methods hopefully they’ll work for you. If they don’t, you will have to look up how to do it on your particular device.

Jellybean, Android 4.1 and up

  1. Power Button
  2. Long press Power Off on screen
  3. Press ‘OK’ to reboot to Safe Mode

Prior to Jellybean or above steps do not work.

  1. Power button
  2. Press ‘Power Off’ or ‘Restart’
  3. Restart if powered off
  4. Hold ‘Volume down’ button while booting up.

Once in Safe Mode

  1. Settings
  2. Apps
  3. Locate BaDoink app or any other app you want removed.
  4. Uninstall
  5. Restart device

To keep safe from such auto-download/install attacks on Android keep ‘Unknown Sources’ disabled and stick to trusted sources. The creators of the real BaDoink app are not behind these tactics, the app’s likeness was used.


  • Pingback: Android 成為 CryptoLocker 新目標 | Chong's

  • Pingback: How your phone could blackmail you for looking at ****

  • Pingback: Felbukkant az első androidos ransomware | HirDemo

  • 2934c37

    All these nonsecure os allow them to be screwed all day apple leads the way but not by example but by truth. Only because there os system is locked locks keep honest men honest honestly.
    I knew android was and is acceptable to all viruses coded to be repeat offenders
    as in the txt above thank you malwarebytes ive been fixing computers a long 14yrs and many changes to them throught times and always you are a first to second choice keep being the best. I WILL

  • 2934c37

    also you can use android commander to remove the files in android that are not supposed to be there but root needs to be done first to run through the system deleting things

  • Pingback: Tech Thoughts Daily Net News – May 12, 2014 | Bill Mullins' Weblog - Tech Thoughts

  • Pingback: Android Features Used Maliciously | Malwarebytes Unpacked

  • https://twitter.com/matthewboyle25 Matthew Boyle

    Hi,

    My name is Matthew and I work for BaDoink.

    Please note that BaDoink has no affiliation with this at all. Our brand is being hijacked and used for this purpose.

    We work very hard to protect our brand.

    If anybody has any questions please feel free to get in touch with me directly at matthew.boyle (at) teamcmp (dot) com.

    Thanks and regards, Matthew

  • Drew

    I was actually watching youtube and a shortcut was created and this cruel page popped up. However the above steps worked. Thank you!!

  • Forrest Wilson

    The instructios for Android 4.0 (Ice Cream Sandwich) didn’t work. After a Google search, I found the following, which does work:

    On older versions of Android, long-press the power button and then tap Power Off to turn off your device. Turn on the phone or tablet by long-pressing the power button again. Release the power button and, when you see a logo appear during boot-up, hold down both the Volume Up and Volume Down buttons. Continue holding the two buttons until the device boots up with a Safe mode indicator at the bottom-left corner of its screen.

  • Sam Elliott

    Thank you for putting this here, Matthew.

  • maria

    The uninstall button is not working for the virus app, i have an android s4 what do i do?

  • Armando Orozco

    Hi Maria,

    I would suggest following the steps to remove in Safe Mode. You might need to deactivate from Device Administrators first. Settings -> Security -> Device administrators -> uncheck Malware app -> Deactivate.

    -Armando

  • Pingback: - Let's Get Down To Gaming

  • dakota

    badoink isn’t showing up, i have the android x1 not x2 or galaxy and i cant find the fake flash or badoink apps so how do i remove it, its been on my phone for months now, ive been using it on safe mode but i cant use any apps still

  • Armando Orozco

    Hi Dakota,

    Hi Maria,

    I would suggest following the steps to remove in Safe Mode. It’s possible the app has a different name. Look in Device Adminstrators, there you might see it. It’ll probably be an app you don’t recall installing.

    To deactivate from Device Administrators before uninstalling. Settings -> Security -> Device administrators -> uncheck Malware app -> Deactivate.

    Please go to our forums page if you need further assistance.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • Pingback: 2014 and Beyond Online Threat Report | Malwarebytes Unpacked

  • wilcox

    What if your phone won’t go to safe mode or reset?

  • Armando Orozco

    Hi Wilcox,

    Depending on the manufacturer of your device the steps might be different, you can try Google searches based on your device and ‘Safe Mode’, the manufacturer’s website might help also.

    Might help: http://androidflagship.com/9294-boot-any-android-device-in-safe-mode

    If you still have trouble please contact us via our Support forum.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • Alex Helton

    My dad’s been in the biz since ’81. You’ve got long way to go.

  • Cindy

    Can not uninstall app. Even in safe mode. Tried unchecking as administrator but fbi screen pops back up.HELP

  • Cindy

    This is not working for me. I uncheck it and it still pops up.

  • Armando Orozco

    Hi Cindy,

    Please contact our Support team for assistance.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • Pingback: Backup and Lockdown: When Device Theft Strikes | Malwarebytes Unpacked

  • brit

    Hey. What if its on something like a nook? I’ve gotten it to stop popping up but I want to make it not be on it anymore..

  • Robin Wright

    Hi, got the ransom ware virus on my phone but clicking on a bogus link in a genuine forum. Cannot find any app that looks suspicious so how can i remove it.

  • Armando Orozco

    Hi Robin,

    Did you actually install an app or just see the pop ads? The apps are usually adult themed or a fake flash app. Look through your list of install apps in Settings for one that doesn’t look familiar.

    You can visit our support forum for additional help if needed.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • Scott Seguin

    Quite possibly found a new variation of this virus that affects Safe Mode as well.

    I can get into safe mode, but as soon as I try to use the phone to go into Settings, TouchWiz (touchscreen app) Unexpectedly stops, then Settings “Unexpectedly” stops working, then TouchWiz, then Settings, over and over and over. It’s like it’s fighting from not being removed. I’m in a worse case scenario as the new phones are having their recover modes turned off from factory, so you can’t just boot into them and reset the phone back to factory.

    This is a Samsung Galaxy S3 Mini (i8910) and I’m trying to do a worse case and restoring it from a factory ROM. But it’s not seeming to want to take. And since I can’t get into the Settings menu I can’t get the correct ROM file to flash it.

  • jeffrey yang

    Help please ! i went into safe mode and found the app, but it wont let me uninstall… HELP

  • jeffrey yang

    Help wont let me uninstall even in safe mode. “uncheck Malware app” its not even checked. just cant do anything to it, its like invulnerable. HELP

  • Armando Orozco

    Hi Jeffrey,

    You might have to remove the app from the Device Admin list before you can uninstall. Settings -> Security -> Device administrators -> uncheck Malware app -> Deactivate.

    If you continue to have trouble contact our forums page for help.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • Armando Orozco

    Hi Scott,

    This is a interesting one, are you sure its the Trojan? An advanced trick would using Device Monitor in the Android Studio to kill the app, then uninstall. Device monitor uses the adb bridge via USB. Here are some instructions on how to set up if you’re not familiar with it, they are a bit old and the SDK has been replace by Android Studio but its very similar in the layout and file location/names.

    Once in Device Monitor you can view the app, if running and click ‘Stop’ to kill.

    http://forum.xda-developers.com/showthread.php?t=2304122
    http://developer.android.com/sdk/index.html

    or if you device has root

    adb shell pm disable

    -Armando

  • Scott Seguin

    This is impossible to to because the app has taken over the phone already, I would have had to been able to put the phone into USB debugging mode before this happened. I cannot get to any screens in time to change things. It comes up within maybe 10-20 seconds of the phone going into Android.

  • Scott Seguin

    Finally got the thing to get into debugging mode and got into the recovery to just wipe the phone out.

  • Armando Orozco

    Great job. By chance did you APK or package name, I would definitely like to have a look a that one?

    You can contact me via our forums.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

  • Scott Seguin

    Sorry, the best I can give you is that it looked like a fake flash player update, from what I was able to see in apps before it took over the phone. I wasn’t able to save the apk, should have thought about it thought. I was able to at least back up the phone via Kies. It’s working, and the customer will be happy.

  • Guest

    Olá, estou com um problema, quando eu coloco para escanear (tablet android), o programa de vocês, encontra o seguinte Android/trojan.Sivu, local /system/app/appconfig.apk, o problema é que não consigo excluir-lo, e também não tem como ligar modo de segurança.

  • Xandy Monzen

    Hello, I have a problem when I put to scan (android tablet), the program you will find the following Android / trojan.Sivu, Local /system/app/appconfig.apk, the problem is that I can not delete it and also there is no way to connect safe Mode.

  • Armando Orozco

    Hi Xandy,

    Please contact our forum support page for assistance.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • ——

    It wont let me uninstall the app. even when in safe mode it doesn’t give me the option like it does any other app. What should I do?

  • Armando Orozco

    Hello,

    Are you able to locate the app in the list of installed apps in Android Settings?

    I would suggest you contact our support forum for help.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • Armando Orozco

    Hi Rajat,

    By chance do you synchronize your Gmail account with your phone? This seems to be browser related and not related to an app, especially if it still exists after a phone reset. Look at your PC and see if you have a malicious extension or add-on.

    -Armando

  • Pingback: A Week in Security (May 4 – 10) | Malwarebytes Unpacked

  • Extremely Stupid Teen

    The app is installed under “browser updater” in my phone however I can not remove it. I can not get into settings or cannot manually delete the app. When I try to turn my phone off nothing happens, the only way I can turn it off is by removing the battery. Any help would be greatly appreciated.

  • Extremely Stupid Teen

    nvm got into safe mode and did a factory reset, it came up saying android is upgrading and all is fine now

  • Alyssa

    So I have the galaxy S4 and I got my phone onto safe mode, but I cannot find any app that looks like it shouldn’t be there. What do I do? Is there any way I can figure out which app this is connected to other than just guessing?

  • Armando Orozco

    Hi Alyssa,

    Are you able to locate the app in the list of installed apps in Android Settings?

    I would suggest you contact our support forum for help and an expert can assist.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • Julia Vasaturo

    The app BatteryBoost showed up as a threat, and it’s an administrator. Every time I try to deactivate the administration, it closes my settings. I tried to see if it still said it was a threat, and it didn’t. It’s so sneaky! I saw the permissions it has, and it has access to EVERYTHING. PLEASE HELP ME GET RID OF THIS!!

  • Armando Orozco

    Hi Julia,

    Did you try disabling from Device Admin in Safe Mode.

    Please contact our help forums, one of our experts can assist you.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando

  • Christopher Stansfield

    Unfortunately I have a flavor of this app (disguised as Adobe Flash Player) that cannot be uninstalled and has somehow made it impossible to remove the device administrator. If I attempt to go into “Device Administrators” under safe mode I am told “No Device Administrators Available.” In the rare circumstances when I can get past the block screen in normal mode and attempt to revoke the administrator’s permission I get an error message saying it can’t be unchecked and then my phone hangs on that error message.

    Any help with what folder or file I can delete to give me temporary relief or how to re-enable the ability to uncheck the administrator’s permission would be much appreciated. I can’t possibly be the only person experiencing this but searches turn up nothing.

  • Armando Orozco

    Hi Christopher,

    Please contact our help forums, one of our experts can assist you.

    https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/

    -Armando