If you have an Android phone, you should be aware of the growing cyber threat known as Android ransomware and how to combat it.
Hackers are using fresh and innovative types of Android ransomware to attack Android smartphone users. We saw Android/Filecoder.C appear last year, and this year it’s AndroidOS/MalLocker. B.
Android is the most common mobile operating system in the world, with 85 percent of the market share and over 2.5 billion active users. Cybercriminals are attracted to this massive pool of possible targets. You’ve come to the right place if you’re an Android user worried about the protection of your data and computer. We’ll go over the following topics in this article:
- What is Android ransomware?
- How does it damage your mobile?
- What to do if your phone gets affected?
- How can you prevent it?
So, without further ado, let’s take a look at the subject of Android ransomware.
What Is Android Ransomware?
Android ransomware is a form of malicious software (malware) that targets Android-based smartphones and tablets.
Ransomware attacks on Android are akin to kidnapping. Hackers infect Android phones with malware variants (viruses, trojan horses, rootkits, and worms). It steals or encrypts data from users’ smartphones, or it prevents them from using them by freezing their screens. The attackers then extort money from the victims in return for access to their devices or data.
Any or more of the following techniques can be used in a mobile ransomware attack:
- Data encryption and ransom money in return for access to the affected data.
- Locking the phone or screen in such a way that users are unable to access all of the functions until the ransom is paid.
- Taking personal information or confidential media files and threatening to release it to the public if they are not paid.
On infected computers, Android ransomware usually remains inactive, quietly altering the coding and setting a trigger for users to activate. A cause may be an event like a user attempting to make a phone call or visiting a specific website or app. The ransomware begins its work as soon as the user triggers the trigger (i.e., encrypting the data or locking the device). The device’s screen then displays the ransom demand.
Examples of Android Ransomware
SimpLocker, an Android ransomware version, also poses as the National Security Agency or the Federal Bureau of Investigation. This form of ransomware encrypts files and locks the computer, demanding that the user pay a fee to regain access.
Categories of Android Ransomware
ESET distinguishes two types of Android ransomware:
1. Crypto ransomware: This type of ransomware encrypts sensitive information, such as documents, files, and media material. The threat actors encrypt and decrypt the data with cryptographic keys, and the hacker demands a ransom in exchange for the decryption key. (The hacker can or may not send you the decryption key, and even if they do, it isn’t guaranteed to work.)
2. Locking ransomware: The hackers control the entire user interface (UI) and lock the phone. All other windows are pushed aside by the ransomware warning. As a result, no matter which buttons victims push, they will not be able to remove the popups or access anything on their computers unless they pay the ransom or have the necessary technical resources to do so.
Classic locker ransomware examples include MalLocker.B and Koler.a for Android. They lock the phone’s screen and show ransom notes that look like they’re from the police. Users are informed that they have committed an online crime and must pay a fine to regain access to their phones.
How Does Android Malware Get Inside Your Phone?
Okay, you’ve heard of Android ransomware and what it can do. Now comes the million-dollar question: how does ransomware get into your phone in the first place?
Malware for Android is generally distributed using the following methods:
- Websites of third parties,
- Phishing email attachments, discussion forums (where hackers engage in group discussions and post malicious links that appear to contain related information), and social media sites are all examples of phishing (through infected games, links, surveys, or malvertisements),
- SMS phishing (smishing) schemes and infected applications that are widely distributed via third-party app stores.
Cybercriminals may also use trojans, malicious connections, and various social engineering techniques to spread Android malware. They pass malware off as well-known programmes, hacked apps, games, video players, or antivirus software. When users click on such a connection, malware is installed on their phones and the back-end coding is taken over.
How Does Android Ransomware Work?
The threat of Android ransomware is emerging. Android malware has traditionally exploited the platform’s SYSTEM ALERT WINDOW feature, according to Microsoft’s 365 Defender Research Team. This feature on Android phones would show alerts that couldn’t be ignored and needed immediate attention. And, like so many other nice things in existence, hackers twisted this functionality to show ransom notes for their evil deeds.
To counteract this, Google added a “kill switch” to Android OS versions 8.0 and later, allowing users to disable the warning window. Previously, all it took was a single click to grant apps/software access to the SYSTEM ALERT WINDOW feature, which many users forget. However, in order to request such permission, users must now go through a series of screens.
According to Microsoft’s 365 Defender Research Team, the new evolution in Android ransomware includes the following steps:
- Building Notifications: When Android ransomware infects a computer, it begins to build a notification with the ransom demand. The setCategory(“call”) function is used to show that the notification is critical and requires special permissions.
- Hijacking the Screen: The message is saved in the graphical user interface (GUI), and when the user clicks on it or some other pre-determined cause, the API uses the setFullScreenIntent() feature to display the ransomware notification window.
- Blocking users from doing something else: As soon as the ransom snippet appears on the phone, it disables the Android device’s onUserLeaveHint() features. This means that users would be unable to close the snippet even though they press the back button. If they try to use some other phone feature, the main screen will be blank, while the top screen will display a ransom note.
How to Deal with Android Ransomware
What do you do if your Android phone is infected with ransomware? The FBI does not recommend paying a ransom because there is no assurance that cybercriminals will return your data or computer to you. Some ransomware variants encrypt data and prevent you from decrypting it even though you have the decryption key. Furthermore, paying a ransom raises concerns that it would encourage hackers to pursue their illegal activities in the future. Instead, try the following suggestions.
Quarantine the Infected Device
Disconnect your phone from all networks, including Wi-Fi, as soon as you suspect it has been infected with Android ransomware. Wi-Fi is used by the hackers to spread malware to other connected devices. Delete the SIM card if the phone is using cellular data. In order to monitor the malware on your computer, hackers usually need access to the internet. As a result, isolating the phone from the internet would aid in preventing the infection from spreading.
Disconnect the handset from any other devices it is attached to, such as a smartwatch, Bluetooth speakers, or a printer. You may be tempted to connect your phone to your computer to make a backup and gain access to some features — DON’T! The ransomware will infect your computer as well.
Use Online Decryption Tools
Using tools like CRYPTO SHERIFF, ID Ransom, or Bitdefender and try to figure out which form of ransomware has compromised your Android device after it’s been quarantined.
You may be able to use these decryption tools to try to unlock your computer or data after determining the form of ransomware:
Open Your Phone in Safe Mode
If you haven’t taken a backup of your data and still want to save it, try rebooting the phone and opening it in safe mode. This choice will render all of your installed third-party applications.
Keep down the power button for a few seconds. You’ll see options such as Power off, Restart, and Emergency, among others. (This varies depending on the phone manufacturer)
Keep the Power off icon (on the screen) for a longer time from those options.
Reboot to safe mode will appear on the screen. Wait for the system to reboot after tapping OK.
Build a backup of your data and reset the phone from here (next step). However, you should be aware that backing up data from an infected phone is a dangerous procedure. It’s possible that the virus will spread to other connected devices as well. However, if you must, make sure that all backups are scanned with strong security software (which we’ll discuss shortly) before switching to a new computer.
This choice will not work if the malware has spread from the original app to other parts of your computer. Resetting the phone might be your only choice if you’re still seeing the ransom note on the computer.
Reset to the Device’s Factory Settings
If the ransom note appears on your phone screen and you are unable to close the window or access anything else on the phone, your only choice is to reset the computer.
This choice will erase all of your data (including corrupted apps and malware) and restore your phone to its original state. It’s referred to as a factory reset.
To reset your handset, select the manufacturer from the drop-down menu.
- Samsung Galaxy
Inform law enforcement about the cybercrime
If the hacker is blackmailing you into releasing or misusing your private data, this is a serious extortion case that you should report to the local police department. To deal with these types of cases, most countries have a cybercrime department that collaborates with police.
How to Prevent Android Ransomware
These are some easy steps smartphone users can take to protect themselves from Android ransomware and other cyber threats.
Use a Robust Security Software Tool
Security software not only detects and removes malware but also can warn you when you visit an infected site or download a malicious app. Auto-install variants of malware may download or instal onto your mobile without you noticing. A good security programme scans and notifies you every time something downloads to your device.
We have listed some freemium security software below.
- AVG AntiVirus
- Bitdefender Antivirus
- Avira Antivirus
- Lookout Mobile Security
Be Careful While Clicking on Unknown Links and Downloading Apps
If you see any links on the comments on discussion forums, on unknown pages, or embedded in emails (especially when the email is coming from an unknown sender), avoid clicking on them.
If someone is providing a free version of common commercial items such as apps, songs, PDF files, games, or slideshows, be very careful and don’t download if it is avoidable. If you must, at least check them with robust anti-malware software before installing.
Read Reviews Before Downloading Third-Party Apps
When you are installing a new, unknown or controversial app, read the reviews first. If you see a low ranking/stars and a user complaining about a security problem or a general infection sign, you should be concerned. Messages like the ones below could mean that an app is corrupted or compromised:
- My phone became extremely sluggish as a result of the app.
- It also installed some other software or app on my computer.
- The app takes me to a different website.
- It displays intrusive popups.
- After downloading this app, my phone began to display advertising windows.
If you come across applications with reviews like these, don’t instal them. You can also read feedback by conducting a separate search for the developer (company or person).
Always Keep Backups
Make regular backups of your files, including photos, videos, documents, and anything else worth saving. A safe third-party cloud platform is the safest place to store a backup. Additional copies can be stored on USB drives, external hard drives, or your computer.
You can easily recover your data from backups if Android ransomware has encrypted it on your computer.
Keep an Eye on Apps and Their Permissions
Only offer administrative rights to apps that you completely trust and that come from reputable companies and developers. To see who has administrative rights on your phone, follow the steps below:
To access Device Administrators, go to Settings > Security > Device Administrators. (Note: depending on the phone’s manufacturer, this direction can differ.)
Remove all other unidentified and unnecessary apps from the list. If you see any applications on your smartphone that you haven’t installed or that didn’t come pre-installed, uninstall them right away.
Don’t Root Your Android Phone
Rooting a handset entails having administrative privileges and modifying the phone’s default settings. It’s similar to jailbreaking an iPhone on an Android device. People root their phones to change the look of them, gain access to blocked applications, unlock them (to change the default service provider), and so on. Rooting, on the other hand, is a risky activity that disables many of Google’s default security features to protect Android users.
Rooting your phone weakens its security mechanisms, making it easy for hackers to instal some form of malware, including Android malware.
Last Words on Android Ransomware
Some people may choose to “play it safe” by paying the ransom to save their valuable phones or regain access to their data. But, as you’ve seen, even that strategy isn’t without its drawbacks. After all, there’s no assurance that the hacker won’t demand more money or give you back access to the encrypted data even though you pay the ransom. It also does not guarantee that they will not target you in the future.
Instead, become acquainted with cybersecurity best practises that will help you avoid becoming a victim in the first place. Otherwise, you will learn how to deal with this Android ransomware and regain access to your phone without paying a ransom.