Ransomware on Android phones

One example of a common type is that the user gets a message that he did something illegal and the police locked his computer, and he will only get back access if he pays for it.

Ransomware is very common on Windows, but it is also getting to be more common on mobile platforms like Android. I spotted a nice Ransomware for Android during my daily work while I was analyzing some samples with a colleague. We tried to find out exactly what the malware was doing and therefore tried to run it first on a virtual machine with Android. Of course the sample crashed and did not run (demonstration effect). So we continued our analysis and tried to run it on one of our mobile devices we have for testing…


‘Barack Obama’ got me with his Cyber Police! The Ransomware locked the screen of the phone and I was unable to do anything on the device. So how do I remove the malware? My first thought was using ADB (android debug bridge), connecting the phone to the PC and removing the Ransomware via USB connection. Unfortunately, USB-Debugging was disabled on the phone and I was unable to connect. Then, I rebooted the phone and found out that there was a delay after boot before the Ransomware started and locked the phone. This resulted in me trying a couple of times to uninstall the Ransomware app manually and, at last, I was fast enough to do it. My last option would have been to completely reset the phone, thus losing all data.

Avira detects this Ransomware with a generic detection and prevents the installation of malicious software like this on your device.

This post is also available in: German

Virus-Analyst - Avira Protection Labs