Protect your Android Device from Ransomware

Ransomware is a type of malware that prevents users from accessing their data unless they pay a typically hefty ransom. But how does Android ransomware work, and how can you protect your device?

Android malware can run on devices running the OS like smartphones and tablets. Some are able to disable or lock the device, some might track the user’s activity, while others could encrypt or steal the user’s stored data. Because people are using smartphones and tablets more and more – and storing increasingly large amounts of their personal data on them – cyber criminals are devoting more time specifically on mobile devices running Android operating systems. Ransomware is a particularly nefarious type of malware, and one we’ve written about extensively. The bad news is that it isn’t just desktop users that can be victims of ransomware – there’s a growing number of Android ransomware appearing.

While there are different forms of ransomware, the basic principles are the same; users are unable to access their data. With crypto ransomware, files stored on the device are encrypted, and this is the most common form of ransomware that targets desktops. Locker ransomware doesn’t encrypt your files; instead, it denies access to the device and its data, typically by locking it. It is this type of ransomware that is most common on Android devices. As with other forms of malware, Android ransomware typically gets onto a device by tricking the user into downloading malicious files, like fake versions of apps from non-legitimate sources. In 2014, an Android ransomware dubbed Koler spread via a fake app called “BaDoink”. Koler is a “police virus” ransomware, so-called because upon installation, newly-infected devices would display a warning claiming that the owner of the device had been viewing illegal content. While users’ data isn’t encrypted, the pop-up takes over as an active window, and dismissing the page only works for a limited time. Another Android ransomware, DoubleLocker, surfaced in 2017, and encrypted users’ data and changed their PIN code – known as a “two-stage” malware. Spread via a pop-up offering a bogus update to Adobe Flash Player, DoubleLocker will ask the user for Google Play Services accessibility. If the permission is given, the malware gains full administrative rights over the device, enabling it to set itself as the default home application, encrypt the data, and change the PIN.

The most important thing to remember with Android ransomware – and all ransomware in general – is to never pay the fine. This only encourages the development of new forms of ransomware, and there’s no guarantee that you’ll actually get your data back anyway. Plus, most Android ransomware can be removed fairly straightforwardly. If your Android has become infected with ransomware and you can still use the device, turn it off and reboot it in safe mode while you work to remove it. Most Android devices allow you to switch to safe mode by holding down the power button for a few seconds, then immediately tapping and holding the power off option; this will bring up several options, including booting from safe mode. Next, visit your Android’s Settings, and remove the infected app that has caused the ransomware infection. In some instances, the ransomware might have attempted to prevent this by giving itself administrator privileges; this is easily remedies by visiting the administrators section within settings. This method will work for locker ransomware like Koler, but for crypto ransomware like DoubleLocker, you’re going to have to perform a factory reset on your device if you want a quick fix and have recently backed up your data. If you haven’t backed up recently, our Android phone recovery team might be able to help.

To prevent future Android ransomware attacks, make sure you have an up-to-date version of the operating system, and don’t download apps from nefarious sources – stick to official channels. Backing up regularly is also highly recommended, so you can perform a quick factory reset if you need to.  

Android Ransomware