Android ransomware evolves into more menacing forms
Android ransomware  may not be a virus that you recognize from numerous attacks that hackers typically launch on Windows and Mac OS X users. These malicious parasites are build to block Android OS-running devices and make the victims pay a set amount of ransom just to get the control over their smartphones back again.
Android-based ransomware started spreading around as simple viruses that block the access to the phone with a lock screen ransom note. However, some of them were soon modified to obtain Device Administrator privileges and change the PIN code of the device. Knowing that your phone's or other device's PIN can be changed by hackers is already highly unsettling, but there is much more Android malware can do.
At the end of 2016, security researchers discovered the most surprising news — some smartphone parasites are capable of blocking LG Smart TVs. Fortunately, LG didn't leave their clients to deal with the hijack alone and helped the victim to remove Android virus permanently with TV factory reset. Other versions of this malware can be removed with the help of Reimage.
Users who prefer visiting various potentially insecure domains are more exposed to the risk of this file-encrypting malware. You can accidentally infect your phone with this virus by clicking on unreliable links. Such links are usually displayed on high-risk websites (mostly gambling or pornographic content sites).
Additionally, you can become a victim of the ransomware by downloading unreliable apps from shady app stores. For example, adult content related apps such as Porn ‘O’ Mania, Love Beauty, Sexy Hot, Sexy, Lutu and similar apps are known to be spreading mobile ransomware around. You can find these programs in some third-party app stores only.
Unfortunately, we cannot list all of Android ransomware app names. That's why you should always double check apps before installing them on your device. In short, now you should concentrate on Android ransomware removal.
When a user installs such malicious app and runs it, he/she receives an additional pop-up message on the screen, which might look like a regular system message that asks to adjust app settings or to install additional (or recommended) apps.
If the user clicks on this window or agrees to “continue,” he or she unconsciously gives admin rights to the virus. This is exactly what Android malware needs. This indirect method to get user’s agreement is called clickjacking – it forces the user to agree with something that he/she was not aware of.
Exploiting device's administrative privileges
When Android virus gains access to monitor the phone as an administrator, it finds all files on the phone and encrypts them. As a consequence, they become inaccessible.
Then, this mobile virus displays a threatening message, saying that the user has accessed illegal content. It also warns that your personal records, as well as web browsing history, might be sent to all contacts that were found on your phone.
In addition to that, this virus can change your phone passcode and PIN code. The reason update of the malware contributes to the better performance of the threat and makes it more troublesome to remove.
Previously, the malware exploited hard-coded passwords to lock victims devices. Luckily, virus researchers found a workaround – they created a matching code according to the pattern of lock screen original code.
After finding out that their masterpiece was cracked by the “good guys”, hackers came up with the update. Now they switched to pseudorandom codes which are generated in the manner of Math.Random function.
In short, the hackers are able to generate unique 6-digit or 8-digit codes. Moreover, they combined this method with the former peculiarity. Certainly, this technique burdens the termination of the ransomware.
Furthermore, this mobile virus is called a ransomware not without a reason. In the ransom note, the malware demands to transfer the money in order to recover personal files and secure your privacy. It claims:
Your location: XXXX
Operating system: XXXX
You are accused of viewing / storage and / or dissemination of banned pornography…you have violated World Declaration of non-proliferation. You are accused of committing the crime envisaged by Article 161 of the United States of America criminal law. Article 161 of the United States or America criminal law provides for the punishment of deprivation of liberty for terms from 5 to 11 years. Also you are suspected of violation of copyright and related rights law (downloading of pirated music, video, warez) and of use and / or of dissemination of copyrighted content.
This alert also claims that you should pay the ransom but you should never do that! This virus can encrypt your files, but reportedly it can permanently delete them all, too. Therefore, there is no logical reason to pay the ransom. It is very unlikely that your files can be recovered, so the only thing you can do now is to remove Android ransomware and protect your device against similar virus attacks in the future.
UPDATE: Russian users – among Android ransomware targets
Android ransomware is getting increasingly more dangerous as the hackers apply new techniques for the development of its versions. The latest version that is specifically oriented towards the Russian-speaking users employs Firebase Cloud Messaging platform (the former Google Cloud Messaging) to lock the smartphone’s screen.
This facilitates the operation of the hackers’ Command & Control server which is already responsible for around 20 operations that can be carried out on the infected device. The hackers can remotely lock or unlock the smartphone screen, gain access to the saved contacts and create new ones, send SMS and make adjustments to the malware code.
For the unlocking of the phone, hackers demand a huge amount of money (around 9,100 dollars) which usually doubles or triples the actual phone’s worth.
Unfortunately, there are users who are willing to pay the ransom. What they fail to realize, though, is that the money they send to the hackers motivates them to continue creating malicious programs in the future.
If you are ever in such a situation or if your phone is locked at this very moment – do not pay the ransom or enter any sensitive information you might be asked by the hackers. Instead, delete the virus from your device following the instructions we provide at the end of this article.
Update October 18, 2017. DoubleLocker ransomware is perhaps the first crypto-malware with exquisite operation mode. Besides encrypting users' data, the virus is also capable of locking the device and changing a PIN code. The infection makes use of accessibility settings which were designed for users with physical disabilities. The essence of this functionality is to allow certain apps run without users' direct consent.
Furthermore, DoubleLocker virus was created on the basis of Svpeng banking trojan. It might develop into more menacing malware causing high financial losses. Users should also take into account that the malware disguises under fake Flash Player update – a common bait among majority of malware developers.
Fraudulent updates often pop up in random pages. Note that only the notification popping up in Windows Action Center and informing about the latest Flash player update release is genuine. In other cases, treat urgent update messages in the Web as deceptive.
Protect your smartphone data
According to our research, the malware can only affect phones that run earlier versions than Android 5.0. Unfortunately, it means that over 67 percent of Android users can unexpectedly infect their phones with Android ransomware. That is why we want to share some tips how you can secure your phone from malware attacks:
- Download applications ONLY from verified and secure app stores. You can trust Amazon, Samsung, or Google Play stores.
- Keep your phone software updated.
- You can also install an app that is capable of securing your device from malware infiltration – we recommend BullGuard Mobile Security. It ensures complete Android ransomware removal.
Complete Android crypto-malware elimination properly
The instructions provided below should help you to remove Android ransomware as well:
- Reboot your phone into Safe Mode:
- Find the power button and then press it for a few seconds until you see a menu. Click Power off.
- Once you receive a dialog window that suggests you to reboot your Android to Safe Mode, select this option and press OK.
- If this did not work for you, just turn off your device and then turn it on. Once it becomes active, try pressing and holding Menu, Volume Down, Volume Up or both these buttons together to see Safe Mode.
- Uninstall malicious and/or any suspicious and unknown apps (Android ransomware may hide under Porn’O’mania or other suspicious names):
- When in Safe Mode, go to Settings. Then, click on Apps or Application manager (this may differ depending on your device).
- Here, look for the previously-mentioned suspicious app(s) and uninstall them all.
If you are dealing with Android ransomware on your smart TV, make sure you follow this video guide. Keep in mind that ransomware viruses can attack phones, computers and TVs (!) as well.
This particular virus affects different devices in a similar way – it locks the screen, changes the PIN of device and urges the victim to pay a ransom.
We strongly recommend reading this article about this type of computer viruses – What is ransomware? – to learn more about the prevention of such malware.