As of Monday, AdaptiveMobile had observed several hundred devices across multiple U.S. carriers showing signs of infection.
As of Monday, AdaptiveMobile had observed several hundred devices across multiple U.S. carriers showing signs of infection.

In May, researchers observed Android ransomware identified as Koler.A locking up the screens of victims around the world who visited certain pornographic websites – now, mobile security company AdaptiveMobile has discovered a worm variant that is spreading through SMS.

Upon infection, the Koler variant – named Worm.Koler – will send an SMS message to all contacts in the device's address book stating that someone has created a profile using their photos, according to a Monday post. The message also contains a Bitly link.

“The worm system queries the database of the user's contacts and cycles through them,” Cathal McDaid, head of data intelligence and analytics at AdaptiveMobile, told SCMagazine.com in a Wednesday email correspondence. “It looks like they wrote this themselves, but it is not that difficult to implement.”

Clicking on the Bitly link brings users to a Dropbox page with a download for a ‘PhotoViewer' app that, when installed, forces a ransom screen to pop up incessantly, the post indicates. The message states that the device has been locked up for containing illicit content and users must pay $300 via MoneyPak to ‘wave the accusations.'

Koler.A delivered ransom screens that reflected the location of the user, but that is not the case with Worm.Koler.

“The screen is always U.S.-centric – this time in Worm.Koler the ransom page is hosted within the [APK], whereas in the original Koler it was fetched from a server based on the location of the device,” McDaid said, adding that the blocking mechanism that prevents the user from doing anything on the device is more efficient in this variant.

Unlike other SMS worm techniques that involve sending repeated text messages, Worm.Koler will only once send the message to all contacts in the device's address book. McDaid said it likely does this because the behavior is more natural and recipients will not be as suspicious.

AdaptiveMobile believes the original outbreak date to be Oct. 19 and, as of Monday, the company had observed several hundred devices across multiple U.S. carriers showing signs of infection, according to the post. Citing statistics from Bitly, the post indicates that 75 percent of clicks have come from the U.S.

“We can't tell for certain if it is the same attackers [as the original Koler], but in this case it looks like the attackers optimized it for the North American market – by only having a US-based pop-up screen – and there are differences in how the code is packaged,” McDaid said.

AdaptiveMobile notified Dropbox and Bitly and the file and link have been removed. Koler does not encrypt files – according to the post, users can eliminate this threat by rebooting the device in “Safe Mode” and removing the "PhotoViewer" app using the standard Android app uninstaller tool.