First Aid for Android: How to unlock your ransomed phone


We all dread the moment that our computers freeze up on us.

I’m not talking about a Blue Screen of Death or a Kernel Panic.

Those are bad enough, especially if you had just finished the perfect, final draft of a document but hadn’t yet hit [Save].

But even after a disorderly and unexpected shutdown of that sort, your computer will generally start back up again, usually automatically, and you can carry on where you left off.

Minus your document, of course.

What’s worse than a crash is when the system stays alive, but freezes or locks up so you can’t do anything useful.

It could be a misbehaving application that accidentally hogs all your system resources and won’t shut down, or it could be malware that deliberately pops up over everything else, hoping to strongarm you into paying a ransom for some sort of deactivation code that will give you back control of your computer.

Either way, rebooting might do the trick, but not if the errant software loads up before you have time to intervene and uninstall it.

If that happens, you may get stuck in an infinite loop of reboot-freeze-reboot-freeze.

Fortunately, most desktop operating systems have a way around this: if all else fails, you can use a special boot CD or USB key, such as Sophos Bootable Anti-Virus, to restart your computer without running any software from your hard disk at all.

→ You can see the clean boot technique in action removing the infamous Reveton ransomware from a Windows PC in a Naked Security video published on the SophosLabs YouTube channel.

Not all faults or infections can be sorted out like this (for example, if you have a failing hard disk, or malware that scrambles your files, like CryptoLocker).

But if all that’s in the way is a dodgy program that loads up early and then protects itself from being uninstalled, a clean boot can work wonders.

What about Android?

The question is, however: what about Android devices?

With fake anti-virus and “police warning” ransomware now a real-world threat on Android, it’s not impossible that you might be faced with just this sort of problem on your phone or tablet: a working device, but where the only usable app is asking you to pay $300 to make it go away.

Here’s the “police warning” ransomware known as Andr/Koler-A, for example, trying to squeeze you for a $300 MoneyPak voucher in return for uninstalling itself:

Koler effectively locks your phone with a pop-over browser window, like the one you see above, that quickly reappears if you try to get rid of it.

The continually reappearing pop-over window makes it as good as impossible to get into the Settings menu to remove the malware, and a plain reboot won’t help, because the malware comes back to life early in the restart.

But you can’t reboot your Android from a CD or USB key, so what to do?

Android “Safe Mode”

Here’s a technique that may get you out of trouble.

It might not always do the trick, but (at least on recent versions of Android) it has three handy benefits:

  • It doesn’t require any special technical skills to carry out.
  • It doesn’t require you to have installed any special software before the problem happened.
  • If it doesn’t work, you can go back to where you were and be no worse off than you were before.

It’s called “Safe Mode,” and it’s similar to safe mode in Windows, where your system starts up without loading any third-party add-ons.

In theory, if your phone isn’t rooted (i.e. you haven’t deliberately modified it so apps can be promoted to run with root, or system-level privilege), then no third-party apps you have installed should be able to trick the system into loading them in Safe Mode.

So booting into Safe Mode means you should always be able to get into the list of downloaded apps, malware or not, and remove unwanted ones.

(If a malware app doesn’t launch in the first place, it can’t fire up any active “anti-anti-virus” protection to shield itself from uninstallation.)

Booting into Safe Mode

Life would be much easier if all vendors had agreed on a standardised way to engage Safe Mode, preferably from a cold restart (i.e. after a power-off).

But they haven’t, so you will have to plough through the techniques below until you find one that works for your device/version combination.

Method 1

(Reported to work on Google devices and various Android Open Source Project, or AOSP, derivatives like CyanogenMod.)

  • Press and hold the power button as you would to power down or reboot.
  • A menu will pop up.
  • Tap and hold the “Power off” option.
  • If nothing happens try the same with “Reboot”.
  • A dialog should appear offering you to reboot in Safe Mode.

Method 2

(Reported to work on Samsung Galaxy S4.)

  • Power down.
  • Turn on and repeatedly tap the soft-button for “Menu.”

Method 3

(Reported to work on Samsung Galaxy S3 and others)

  • Power down.
  • Turn on, then press and hold Volume Down (Galaxy S3 and others), Volume Up (HTC One and others), or Volume Down and Volume Up together (various Motorola devices) when the vendor’s logo appears.

If you have managed to select Safe Mode, you will see the text “Safe Mode” at the bottom left corner of the screen.

To get out of Safe Mode, try simply rebooting.

If that doesn’t work, try rebooting using one of the button-press options listed above, starting with the one you used to engage Safe Mode in the first place.

What to do when “Safe Mode” is active

Here’s a practical example, removing the abovementioned Koler malware from an infected Android tablet.

This variant of the malware installs itself under the name BaDoink (apparently the name of a well-known online porn service), like this:

After booting into Safe Mode, third-party apps will no longer show up on the Apps page, as you can see here:

Go instead to the Settings menu and choose Apps:

This will bring up a list of downloaded (third-party) apps, including the Koler-infected BaDoink:

Tap on BaDoink; this won’t run it, but will open up the program’s App Info screen:

Tap on Uninstall, and you are almost home:

Choose [OK] to uninstall and you are done.

You may now reboot out of Safe Mode.

Hope this helps!

Oh, and in case you were wondering, Sophos Free Anti-Virus and Security for Android will help you stop getting infected in the first place by blocking the app before it runs for the first time.

Free download (no registration, no time-limit)...