9 May 2014

A new type of malicious Android ‘ransomware’ app uses fake police warnings and/or blocks access to your device, demanding money to unlock it. The attackers are believed to be targeting more than 30 countries, including Australia.

The app is similar to Cryptolocker—a ransomware trojan that targets desktop computers, encrypting files on your hard drive—but although this new Android version blocks access to your device, it does not actually encrypt your files, so you can recover your device.

The malware is spread through fake pornography apps. Users may have installed these apps by clicking links in phishing emails or visiting websites featuring apps, such as adult-themed streaming services. These apps redirect you to a further site where the malicious trojan (known as Koler) is pushed straight on to your phone and installed.

Once installed, the app blocks your device and demands that you pay a fine. It displays official looking warnings from law enforcement agencies such as the FBI, claiming that you have been discovered visiting illegal sites containing child pornography, or simply claiming that your device’s files are encrypted and it will be blocked until you pay.

Android ransomware

Image credit: Malwarebytes

Android users, like any computer users, should be wary of clicking links in emails from people they do not know or trust.

You should avoid installing apps on your device from unknown sources. Android devices have been targeted by fake apps and malware on a number of occasions.

Stop the installation of apps from unknown sources

If you are using an Android device, you can disallow apps from unknown sources being installed. The instructions may vary for different models, but options can be found in Settings > Security, or similar. Uncheck the box for Unknown Sources.

How to prevent and remove the malware

Anti-malware apps available from reputable security organisations should detect these kinds of malicious apps and prevent them from installing on your device.

If you do not have anti-malware installed on your device, you may still be able to remove the ransomware app by entering your device’s Safe Mode. In Safe Mode, third-party apps are not permitted to load. The ransomware apps can then be removed.

Steps on how to start Safe Mode also vary depending on the handset, but will be similar to:

1. Press the Power button
2. Once presented with the Power Off screen, hold a long press on Power Off button
3. Press ‘OK’ to reboot to Safe Mode

You can check with your device manufacturer for instructions for your particular model.

Once in Safe Mode, follow your usual steps for uninstalling an app. These will also vary between devices, but typically, you can uninstall an app in Settings > Apps > locate the app that you want to remove >Uninstall. Then restart the device to run in Normal Mode.

More information

More information about this ransomware on Android devices can be found on most security vendors' websites. Kaspersky has a good explanation. Security vendor Malwarebytes includes a useful description of the Koler trojan.

Stay Smart Online’s website has good information on staying safe with your mobile device.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.


Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.


This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.


Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] communications.gov.au
Web: www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online