OFFICIAL SECURITY BLOG
May 7, 2014 | BY Armando Orozco
A new Android ransomware dubbed Koler has been spreading as a fake adult themed streaming service ‘BaDoink’ app.
Uncovered by security researcher Kafeine, Koler uses familiar “Police Locker” tactics to get victims to pay a ransom for unlocking their PC or device.
Traced back to the team that brought us the Reveton ransomware, Koler uses FBI and other police agency symbols to look legitimate, as well as carefully crafted text.
While your files and other data are not encrypted by Koler.a, the annoying browser page takes over as the active window.
Koler is delivered with site redirection, once installed and running the device is taken over by the ransom browser page, pressing the Home button or attempting to dismiss the page works for a very short time. The page will reappear when you attempt to open another app or within a few seconds.
This causes removal problems because you don’t have enough time to uninstall through normal methods.
The good news is you don’t have to pay the ransom to remove.
First off, Malwarebytes Anti-Malware Mobile detects as Android/Trojan.Koler.a and will prevent and remove this Trojan on your Android device.
However, at times there are race conditions where Koler’s page is up and has control of the screen or you might not have a security tool installed.
You can try the traditional method of going to the app tray and dragging the icon to the Uninstall/Remove area, but you have a limited amount of time before Koler resurfaces.
The quickest manual solution would be to use Android’s Safe Mode, similar to Windows, Safe Mode is a diagnostic environment where third-party apps won’t load and you can remove.
Anyone see a theme here?
Booting to Safe Mode
Because of various Android updates and different device/carrier flavors I’ll provide two methods hopefully they’ll work for you. If they don’t, you will have to look up how to do it on your particular device.
Jellybean, Android 4.1 and up
Prior to Jellybean or above steps do not work.
Once in Safe Mode
To keep safe from such auto-download/install attacks on Android keep ‘Unknown Sources’ disabled and stick to trusted sources. The creators of the real BaDoink app are not behind these tactics, the app’s likeness was used.