First Aid for Android: How to unlock your ransomed phone

Filed Under: Android, Featured, Google, Malware, Mobile, Ransomware

We all dread the moment that our computers freeze up on us.

I'm not talking about a Blue Screen of Death or a Kernel Panic.

Those are bad enough, especially if you had just finished the perfect, final draft of a document but hadn't yet hit [Save].

But even after a disorderly and unexpected shutdown of that sort, your computer will generally start back up again, usually automatically, and you can carry on where you left off.

Minus your document, of course.

What's worse than a crash is when the system stays alive, but freezes or locks up so you can't do anything useful.

It could be a misbehaving application that accidentally hogs all your system resources and won't shut down, or it could be malware that deliberately pops up over everything else, hoping to strongarm you into paying a ransom for some sort of deactivation code that will give you back control of your computer.

Either way, rebooting might do the trick, but not if the errant software loads up before you have time to intervene and uninstall it.

If that happens, you may get stuck in an infinite loop of reboot-freeze-reboot-freeze.

Fortunately, most desktop operating systems have a way around this: if all else fails, you can use a special boot CD or USB key, such as Sophos Bootable Anti-Virus, to restart your computer without running any software from your hard disk at all.

→ You can see the clean boot technique in action removing the infamous Reveton ransomware from a Windows PC in a Naked Security video published on the SophosLabs YouTube channel.

Not all faults or infections can be sorted out like this (for example, if you have a failing hard disk, or malware that scrambles your files, like CryptoLocker).

But if all that's in the way is a dodgy program that loads up early and then protects itself from being uninstalled, a clean boot can work wonders.

What about Android?

The question is, however: what about Android devices?

With fake anti-virus and "police warning" ransomware now a real-world threat on Android, it's not impossible that you might be faced with just this sort of problem on your phone or tablet: a working device, but where the only usable app is asking you to pay $300 to make it go away.

Here's the "police warning" ransomware known as Andr/Koler-A, for example, trying to squeeze you for a $300 MoneyPak voucher in return for uninstalling itself:

Koler effectively locks your phone with a pop-over browser window, like the one you see above, that quickly reappears if you try to get rid of it.

The continually reappearing pop-over window makes it as good as impossible to get into the Settings menu to remove the malware, and a plain reboot won't help, because the malware comes back to life early in the restart.

But you can't reboot your Android from a CD or USB key, so what to do?

Android "Safe Mode"

Here's a technique that may get you out of trouble.

It might not always do the trick, but (at least on recent versions of Android) it has three handy benefits:

  • It doesn't require any special technical skills to carry out.
  • It doesn't require you to have installed any special software before the problem happened.
  • If it doesn't work, you can go back to where you were and be no worse off than you were before.

It's called "Safe Mode," and it's similar to safe mode in Windows, where your system starts up without loading any third-party add-ons.

In theory, if your phone isn't rooted (i.e. you haven't deliberately modified it so apps can be promoted to run with root, or system-level privilege), then no third-party apps you have installed should be able to trick the system into loading them in Safe Mode.

So booting into Safe Mode means you should always be able to get into the list of downloaded apps, malware or not, and remove unwanted ones.

(If a malware app doesn't launch in the first place, it can't fire up any active "anti-anti-virus" protection to shield itself from uninstallation.)

Booting into Safe Mode

Life would be much easier if all vendors had agreed on a standardised way to engage Safe Mode, preferably from a cold restart (i.e. after a power-off).

But they haven't, so you will have to plough through the techniques below until you find one that works for your device/version combination.

Method 1

(Reported to work on Google devices and various Android Open Source Project, or AOSP, derivatives like CyanogenMod.)

  • Press and hold the power button as you would to power down or reboot.
  • A menu will pop up.
  • Tap and hold the "Power off" option.
  • If nothing happens try the same with "Reboot".
  • A dialog should appear offering you to reboot in Safe Mode.

Method 2

(Reported to work on Samsung Galaxy S4.)

  • Power down.
  • Turn on and repeatedly tap the soft-button for "Menu."

Method 3

(Reported to work on Samsung Galaxy S3 and others)

  • Power down.
  • Turn on, then press and hold Volume Down (Galaxy S3 and others), Volume Up (HTC One and others), or Volume Down and Volume Up together (various Motorola devices) when the vendor's logo appears.

If you have managed to select Safe Mode, you will see the text "Safe Mode" at the bottom left corner of the screen.

To get out of Safe Mode, try simply rebooting.

If that doesn't work, try rebooting using one of the button-press options listed above, starting with the one you used to engage Safe Mode in the first place.

What to do when "Safe Mode" is active

Here's a practical example, removing the abovementioned Koler malware from an infected Android tablet.

This variant of the malware installs itself under the name BaDoink (apparently the name of a well-known online porn service), like this:

After booting into Safe Mode, third-party apps will no longer show up on the Apps page, as you can see here:

Go instead to the Settings menu and choose Apps:

This will bring up a list of downloaded (third-party) apps, including the Koler-infected BaDoink:

Tap on BaDoink; this won't run it, but will open up the program's App Info screen:

Tap on Uninstall, and you are almost home:

Choose [OK] to uninstall and you are done.

You may now reboot out of Safe Mode.

Hope this helps!

Oh, and in case you were wondering, Sophos Free Anti-Virus and Security for Android will help you stop getting infected in the first place by blocking the app before it runs for the first time.

Free download (no registration, no time-limit)...

, , , , , , , , , , ,

You might like

33 Responses to First Aid for Android: How to unlock your ransomed phone

  1. Sony's method is to go to the Power off screen then press and hold the "power off" text. A dialog box should appear asking whether you want to reboot to safe mode.

    • Paul Ducklin · 317 days ago

      I originally had both "Power Off" and "Reboot" listed; will go back to how it was :-)


    • Mark · 92 days ago

      This works on Xperia Z running 4.4.4

  2. For Xperia Z Power down,turn on & hold volume down button.

  3. VL-S · 317 days ago

    On a Nexus 7 running Android 4.4 you hold the power button until the menu appears. Then you tap-hold the "Power off" menu item until the "Reboot to safe mode" menu appears.

  4. Spike · 317 days ago

    Just to point out running a Nexus 5 stock rom (rooted) there is no Reboot option in the power menu popup. However if you press and hold the 'Power Off' you get the same option to reboot to Safe mode. The reboot option is in Cyanogenmod roms.

    Nexus 5 Stock Rom Instructions

    Press and hold the power button as you would to power down or reboot.
    A menu will pop up.
    Tap and hold the 'Power Off' option.
    A dialog should appear offering you to reboot in Safe Mode.

  5. AP · 317 days ago

    For my stock Samsung Galaxy Nexus on Verizon's network (4.2.2), you hold down the power button to get the menu, then long tap the Power Off option to get the prompt to select a Safe Mode reboot.

  6. Phil Sharpe · 317 days ago

    Galaxy S2 (Android 4.1.2): Power on while pressing (and holding) the soft menu button, until "safe mode" appears on screen

  7. Anonymous · 317 days ago

    the first method also works on a LG G2 (D802)

    • PaulT · 315 days ago

      The first method works fine on a Galaxy S4, 4.4.2, Verizon.

  8. Anonymous · 312 days ago

    if you know the apk name and USB debugging is turned on, you can use adb command

    "adb uninstall 'packagename' "

    facebook for example

    "adb uninstall"

    • Paul Ducklin · 311 days ago

      *If* USB degbugging is turned on. I'd say it's unwise to leave it enabled unless you really need it, and I'd guess that very few people have it turned on routinely. (Indeed, Sophos Anti-Virus for Android's "Security Advisor" feature will very handily remind you if you leave it on.)

      Also - I haven't tried this, so I'm just speculating - if you have the USB debugging notify option turned on, so that a pop-up appears on the device when you try to connect, the malware might get in the way of tapping [OK].

      (I recommend using USB debugging notify so that if you leave the adb server running on your computer by mistake, which is easy to do, you don't accidentally set up adb connections every time you plug in your Android, e.g. to charge it.)

  9. Dave · 306 days ago

    Can you use this method to get rid of "crapware " preinstalled on Android phones by vendors? I consider these nearly as offensive as a virus.

    • Paul Ducklin · 305 days ago

      I think the answer is "it depends."

      You can remove system apps with a utility like Titanium Backup, but I think you need a phone that can be rooted (configured to give apps of your choice superuser powers).

      Try it and see what apps are uninstallable from a Safe Mode boot!

  10. verdy_p · 303 days ago

    Test your phone eary to know how to enter safe mode. It's true that it is not only depending on manufacturer vut also on device model.

    On Samsung Galaxy S3, the power off menu proposes "power off" and "reboot" but form there there's no action at all to reboot in safe mode (even in the latest official firmware release): long press on the menu option does not propose it.

    The only way is to power off completely and then power on, and press the "volume down" button immediately as soon as you see the animated Samsung logo, and maintain that "volume down" button pressed until you see the "safe mode" desktop (you'll also see that all default apps built in the firmware will be deactivated and they will be reloaded and reinstalled cleanly from the official Google Store (if they have not signaled been blocked locally on that store).

    That "safe mode" (which may be also translated such as "Mode sécurisé" on French models), does not allow you to start any additional app.

    All you can do there is to go to the builtin "Parameters" application, from where you can access to the "Application manager" where you'll see the list of downloaded apps (you can unly uninstall them).

    You can still access to the Google Play store to perform updates for your apps (but you cannot run them). This can be useful also for reinstalling damaged applications (they have been damaged/corrupted by malwares):

    That store will also inform you if there are applications that have been banned there and Google Play will instantly propose you to remove them.

    Then go to the "My Files" application to see additional garbage that may remain in subfolders (note: this showns not only all other dowloaded app packages, but also the real content of your folders for photos, musics, videos, desktop images, ring tones... (unfortunately there's no way to start in this safe mode any installed antivirus.

    Frequently the malwares are storing additional files or storing logs and configuration data or spied data in these default folders, you don't see them in normal mode as these default folders are filtering the content to show only specific media types.

    On Galaxy S3, there's another option during power on to enter "root mode" (it is only used to install a new firmware), also by pressing and maintaining the volume button and the menu button as soon the Samsung logo animates.

    When you have finished the cleanup, power on and reboot in normal mode to use again your remaining apps.

  11. On the Galaxy S3 (Verizon), if you press and hold the power button to bring up the menu, then long tap on the Power Off option, it prompts you about entering Safe Mode. I should note that the phone is rooted, but still has the latest Verizon firmware installed (no mods).

  12. samuel · 149 days ago

    How do you get the FBI money pak virus off of a Motorola smart phone? the battery does not come out and I cannot get the power down button to do any thing?

  13. dina · 134 days ago

    how will I do it on my Samsung at& ?

    • Anonymous · 92 days ago

      I have a Samsung galaxy note 3. If you power on and wait just before it powers all the way up and press
      the "volume down" button, it will start in safe mode.

  14. Tim Eversole · 134 days ago

    How is it done with a Moto G phone?

  15. Tony G · 112 days ago

    If I press anything, nothing comes on the sreen. U can hear certain things tho. I'm so pissed, I havent had this phone a month yet........

  16. Anonymous · 94 days ago

    Thank You so much

  17. Anonymous · 91 days ago

    This works on lg phones the optimum
    Especially do not stress on this I did thought I would have to pay the fee but did not phone works all new now

  18. Anonymous · 81 days ago

    This worked GREAT on my Android Note 4... Thanks!

  19. Anonymous · 80 days ago

    How do I know if virus is gone

    • Paul Ducklin · 80 days ago could install Sophos Free Anti-Virus and Security for Android and do a scan :-)

      Link is in the Free Tools sidebar at the right hand side...

  20. JS Thragman · 78 days ago

    Well, I opened in SAFE mode, but after checking out all of the Apps on my S3, nothing even remotely suggested a malicious nature. I downloaded SOPHOS, ran the scan and found Flashplayer-2.apk (Andr/Generic-S)and vidoes.apk (Andr/Koler-C) SOPHOS scanning located what I couldn't.

    After uninstalling, my browser is up and running fine.

  21. anonymous · 63 days ago

    I can't run a scan with the Sophos app through safe mode. When I turn safe mode off a screen pops up telling me to activate flash player and it wont go away. I cant get to my app store to run the Sophos app.

  22. Anonymous · 43 days ago

    yea my lg phone gets stuck at the lock screen in safe mode for about 10 seconds then shuts off,leaving me to deal with a virus

  23. Anonymous · 38 days ago

    i was able to get my phone into safe mode as well, but the uninstall button doesn't light up, and so i can't delete it. i even tried to delete the app through app, and holding it, and sliding it into the uninstall up at the top, but that doesn't work any better. the app is porn player. maybe it has to do with what kind of porn app the phone downloaded.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog