First Aid for Android: How to unlock your ransomed phone

Filed Under: Android, Featured, Google, Malware, Mobile, Ransomware

We all dread the moment that our computers freeze up on us.

I'm not talking about a Blue Screen of Death or a Kernel Panic.

Those are bad enough, especially if you had just finished the perfect, final draft of a document but hadn't yet hit [Save].

But even after a disorderly and unexpected shutdown of that sort, your computer will generally start back up again, usually automatically, and you can carry on where you left off.

Minus your document, of course.

What's worse than a crash is when the system stays alive, but freezes or locks up so you can't do anything useful.

It could be a misbehaving application that accidentally hogs all your system resources and won't shut down, or it could be malware that deliberately pops up over everything else, hoping to strongarm you into paying a ransom for some sort of deactivation code that will give you back control of your computer.

Either way, rebooting might do the trick, but not if the errant software loads up before you have time to intervene and uninstall it.

If that happens, you may get stuck in an infinite loop of reboot-freeze-reboot-freeze.

Fortunately, most desktop operating systems have a way around this: if all else fails, you can use a special boot CD or USB key, such as Sophos Bootable Anti-Virus, to restart your computer without running any software from your hard disk at all.

→ You can see the clean boot technique in action removing the infamous Reveton ransomware from a Windows PC in a Naked Security video published on the SophosLabs YouTube channel.

Not all faults or infections can be sorted out like this (for example, if you have a failing hard disk, or malware that scrambles your files, like CryptoLocker).

But if all that's in the way is a dodgy program that loads up early and then protects itself from being uninstalled, a clean boot can work wonders.

What about Android?

The question is, however: what about Android devices?

With fake anti-virus and "police warning" ransomware now a real-world threat on Android, it's not impossible that you might be faced with just this sort of problem on your phone or tablet: a working device, but where the only usable app is asking you to pay $300 to make it go away.

Here's the "police warning" ransomware known as Andr/Koler-A, for example, trying to squeeze you for a $300 MoneyPak voucher in return for uninstalling itself:

Koler effectively locks your phone with a pop-over browser window, like the one you see above, that quickly reappears if you try to get rid of it.

The continually reappearing pop-over window makes it as good as impossible to get into the Settings menu to remove the malware, and a plain reboot won't help, because the malware comes back to life early in the restart.

But you can't reboot your Android from a CD or USB key, so what to do?

Android "Safe Mode"

Here's a technique that may get you out of trouble.

It might not always do the trick, but (at least on recent versions of Android) it has three handy benefits:

  • It doesn't require any special technical skills to carry out.
  • It doesn't require you to have installed any special software before the problem happened.
  • If it doesn't work, you can go back to where you were and be no worse off than you were before.

It's called "Safe Mode," and it's similar to safe mode in Windows, where your system starts up without loading any third-party add-ons.

In theory, if your phone isn't rooted (i.e. you haven't deliberately modified it so apps can be promoted to run with root, or system-level privilege), then no third-party apps you have installed should be able to trick the system into loading them in Safe Mode.

So booting into Safe Mode means you should always be able to get into the list of downloaded apps, malware or not, and remove unwanted ones.

(If a malware app doesn't launch in the first place, it can't fire up any active "anti-anti-virus" protection to shield itself from uninstallation.)

Booting into Safe Mode

Life would be much easier if all vendors had agreed on a standardised way to engage Safe Mode, preferably from a cold restart (i.e. after a power-off).

But they haven't, so you will have to plough through the techniques below until you find one that works for your device/version combination.

Method 1

(Reported to work on Google devices and various Android Open Source Project, or AOSP, derivatives like CyanogenMod.)

  • Press and hold the power button as you would to power down or reboot.
  • A menu will pop up.
  • Tap and hold the "Power off" option.
  • If nothing happens try the same with "Reboot".
  • A dialog should appear offering you to reboot in Safe Mode.

Method 2

(Reported to work on Samsung Galaxy S4.)

  • Power down.
  • Turn on and repeatedly tap the soft-button for "Menu."

Method 3

(Reported to work on Samsung Galaxy S3 and others)

  • Power down.
  • Turn on, then press and hold Volume Down (Galaxy S3 and others), Volume Up (HTC One and others), or Volume Down and Volume Up together (various Motorola devices) when the vendor's logo appears.

If you have managed to select Safe Mode, you will see the text "Safe Mode" at the bottom left corner of the screen.

To get out of Safe Mode, try simply rebooting.

If that doesn't work, try rebooting using one of the button-press options listed above, starting with the one you used to engage Safe Mode in the first place.

What to do when "Safe Mode" is active

Here's a practical example, removing the abovementioned Koler malware from an infected Android tablet.

This variant of the malware installs itself under the name BaDoink (apparently the name of a well-known online porn service), like this:

After booting into Safe Mode, third-party apps will no longer show up on the Apps page, as you can see here:

Go instead to the Settings menu and choose Apps:

This will bring up a list of downloaded (third-party) apps, including the Koler-infected BaDoink:

Tap on BaDoink; this won't run it, but will open up the program's App Info screen:

Tap on Uninstall, and you are almost home:

Choose [OK] to uninstall and you are done.

You may now reboot out of Safe Mode.

Hope this helps!

Oh, and in case you were wondering, Sophos Free Anti-Virus and Security for Android will help you stop getting infected in the first place by blocking the app before it runs for the first time.

Free download (no registration, no time-limit)...

, , , , , , , , , , ,

You might like

46 Responses to First Aid for Android: How to unlock your ransomed phone

  1. Sony's method is to go to the Power off screen then press and hold the "power off" text. A dialog box should appear asking whether you want to reboot to safe mode.

    • Paul Ducklin · 507 days ago

      I originally had both "Power Off" and "Reboot" listed; will go back to how it was :-)


    • Mark · 282 days ago

      This works on Xperia Z running 4.4.4

  2. For Xperia Z Power down,turn on & hold volume down button.

  3. VL-S · 507 days ago

    On a Nexus 7 running Android 4.4 you hold the power button until the menu appears. Then you tap-hold the "Power off" menu item until the "Reboot to safe mode" menu appears.

  4. Spike · 507 days ago

    Just to point out running a Nexus 5 stock rom (rooted) there is no Reboot option in the power menu popup. However if you press and hold the 'Power Off' you get the same option to reboot to Safe mode. The reboot option is in Cyanogenmod roms.

    Nexus 5 Stock Rom Instructions

    Press and hold the power button as you would to power down or reboot.
    A menu will pop up.
    Tap and hold the 'Power Off' option.
    A dialog should appear offering you to reboot in Safe Mode.

  5. AP · 507 days ago

    For my stock Samsung Galaxy Nexus on Verizon's network (4.2.2), you hold down the power button to get the menu, then long tap the Power Off option to get the prompt to select a Safe Mode reboot.

    • Anonymous · 185 days ago

      what if you rebooted your phone before putting it on safe mode?

  6. Phil Sharpe · 507 days ago

    Galaxy S2 (Android 4.1.2): Power on while pressing (and holding) the soft menu button, until "safe mode" appears on screen

    • Anonymous · 34 days ago

      Its not working for my S2 is there a reason why ??

  7. Anonymous · 507 days ago

    the first method also works on a LG G2 (D802)

    • PaulT · 506 days ago

      The first method works fine on a Galaxy S4, 4.4.2, Verizon.

  8. Anonymous · 502 days ago

    if you know the apk name and USB debugging is turned on, you can use adb command

    "adb uninstall 'packagename' "

    facebook for example

    "adb uninstall"

    • Paul Ducklin · 501 days ago

      *If* USB degbugging is turned on. I'd say it's unwise to leave it enabled unless you really need it, and I'd guess that very few people have it turned on routinely. (Indeed, Sophos Anti-Virus for Android's "Security Advisor" feature will very handily remind you if you leave it on.)

      Also - I haven't tried this, so I'm just speculating - if you have the USB debugging notify option turned on, so that a pop-up appears on the device when you try to connect, the malware might get in the way of tapping [OK].

      (I recommend using USB debugging notify so that if you leave the adb server running on your computer by mistake, which is easy to do, you don't accidentally set up adb connections every time you plug in your Android, e.g. to charge it.)

  9. Dave · 496 days ago

    Can you use this method to get rid of "crapware " preinstalled on Android phones by vendors? I consider these nearly as offensive as a virus.

    • Paul Ducklin · 496 days ago

      I think the answer is "it depends."

      You can remove system apps with a utility like Titanium Backup, but I think you need a phone that can be rooted (configured to give apps of your choice superuser powers).

      Try it and see what apps are uninstallable from a Safe Mode boot!

  10. verdy_p · 494 days ago

    Test your phone eary to know how to enter safe mode. It's true that it is not only depending on manufacturer vut also on device model.

    On Samsung Galaxy S3, the power off menu proposes "power off" and "reboot" but form there there's no action at all to reboot in safe mode (even in the latest official firmware release): long press on the menu option does not propose it.

    The only way is to power off completely and then power on, and press the "volume down" button immediately as soon as you see the animated Samsung logo, and maintain that "volume down" button pressed until you see the "safe mode" desktop (you'll also see that all default apps built in the firmware will be deactivated and they will be reloaded and reinstalled cleanly from the official Google Store (if they have not signaled been blocked locally on that store).

    That "safe mode" (which may be also translated such as "Mode sécurisé" on French models), does not allow you to start any additional app.

    All you can do there is to go to the builtin "Parameters" application, from where you can access to the "Application manager" where you'll see the list of downloaded apps (you can unly uninstall them).

    You can still access to the Google Play store to perform updates for your apps (but you cannot run them). This can be useful also for reinstalling damaged applications (they have been damaged/corrupted by malwares):

    That store will also inform you if there are applications that have been banned there and Google Play will instantly propose you to remove them.

    Then go to the "My Files" application to see additional garbage that may remain in subfolders (note: this showns not only all other dowloaded app packages, but also the real content of your folders for photos, musics, videos, desktop images, ring tones... (unfortunately there's no way to start in this safe mode any installed antivirus.

    Frequently the malwares are storing additional files or storing logs and configuration data or spied data in these default folders, you don't see them in normal mode as these default folders are filtering the content to show only specific media types.

    On Galaxy S3, there's another option during power on to enter "root mode" (it is only used to install a new firmware), also by pressing and maintaining the volume button and the menu button as soon the Samsung logo animates.

    When you have finished the cleanup, power on and reboot in normal mode to use again your remaining apps.

  11. On the Galaxy S3 (Verizon), if you press and hold the power button to bring up the menu, then long tap on the Power Off option, it prompts you about entering Safe Mode. I should note that the phone is rooted, but still has the latest Verizon firmware installed (no mods).

  12. samuel · 339 days ago

    How do you get the FBI money pak virus off of a Motorola smart phone? the battery does not come out and I cannot get the power down button to do any thing?

  13. dina · 324 days ago

    how will I do it on my Samsung at& ?

    • Anonymous · 282 days ago

      I have a Samsung galaxy note 3. If you power on and wait just before it powers all the way up and press
      the "volume down" button, it will start in safe mode.

      • Anonymous · 114 days ago

        same with a lg g vista.. thank u been trying to get this off my phone for three months an i only had the phone for a few weeks before it happen and i couldnt even turn my phone on without that screen poping up ... so thanks this saves my phone

  14. Tim Eversole · 324 days ago

    How is it done with a Moto G phone?

  15. Tony G · 303 days ago

    If I press anything, nothing comes on the sreen. U can hear certain things tho. I'm so pissed, I havent had this phone a month yet........

  16. Anonymous · 284 days ago

    Thank You so much

  17. Anonymous · 281 days ago

    This works on lg phones the optimum
    Especially do not stress on this I did thought I would have to pay the fee but did not phone works all new now

  18. Anonymous · 272 days ago

    This worked GREAT on my Android Note 4... Thanks!

  19. Anonymous · 271 days ago

    How do I know if virus is gone

    • Paul Ducklin · 270 days ago could install Sophos Free Anti-Virus and Security for Android and do a scan :-)

      Link is in the Free Tools sidebar at the right hand side...

  20. JS Thragman · 269 days ago

    Well, I opened in SAFE mode, but after checking out all of the Apps on my S3, nothing even remotely suggested a malicious nature. I downloaded SOPHOS, ran the scan and found Flashplayer-2.apk (Andr/Generic-S)and vidoes.apk (Andr/Koler-C) SOPHOS scanning located what I couldn't.

    After uninstalling, my browser is up and running fine.

  21. anonymous · 253 days ago

    I can't run a scan with the Sophos app through safe mode. When I turn safe mode off a screen pops up telling me to activate flash player and it wont go away. I cant get to my app store to run the Sophos app.

  22. Anonymous · 233 days ago

    yea my lg phone gets stuck at the lock screen in safe mode for about 10 seconds then shuts off,leaving me to deal with a virus

  23. Anonymous · 229 days ago

    i was able to get my phone into safe mode as well, but the uninstall button doesn't light up, and so i can't delete it. i even tried to delete the app through app, and holding it, and sliding it into the uninstall up at the top, but that doesn't work any better. the app is porn player. maybe it has to do with what kind of porn app the phone downloaded.

  24. yetunde · 181 days ago

    My safety mode is on, but i cant access my downloaded

  25. Anonymous · 126 days ago

    logged on in safe mode and looked in settings but cannot identify "rougue" app.

  26. Thomas · 125 days ago

    i am in safe mode and removed all downloaded apps that I did not recognize yet the virus still has me locked out... i am very close to just doing a hard reset and losing all my pictures... Stupid hacker idiots should be hung by their toes and eaten by fire ants very slowly... they are messing with a lot of people that cant afford to just replace their stuff!

  27. Jim · 110 days ago

    On Google Nexus tablet with Chrome browser locked by malware popup, I did not see any third party apps, so I selected 'uninstall updates' to Chrome which reset the app back to the factory version and this fixed the problem. Thanks.

  28. ali · 108 days ago

    hi paul ducklin, when i enter into safe mode on sony xperia m2 Aqua it shows enter possword, i think hackers locked possword to avoid safe mode process

  29. aida · 98 days ago

    The uinstall button is not working for this app which appears under Brower update ont phone and makes the police warning issue.
    I am on safemode but not being able to unistall the malware.
    How can I uninstall when uninstall option is not available for this app. Not even force stop available.
    Please help

  30. Anonymous · 65 days ago

    when safemode was active the porn app didnt give anunistall option

  31. emma · 62 days ago

    How do you get rid of the virus on Htc One X? Please help!

  32. Kenny · 43 days ago

    Guys I need help my phone got blocked and I can't use it and safe mode won't activate either please I need help

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog