We all dread the moment that our computers freeze up on us.
I’m not talking about a Blue Screen of Death or a Kernel Panic.
Those are bad enough, especially if you had just finished the perfect, final draft of a document but hadn’t yet hit [Save].
But even after a disorderly and unexpected shutdown of that sort, your computer will generally start back up again, usually automatically, and you can carry on where you left off.
Minus your document, of course.
What’s worse than a crash is when the system stays alive, but freezes or locks up so you can’t do anything useful.
It could be a misbehaving application that accidentally hogs all your system resources and won’t shut down, or it could be malware that deliberately pops up over everything else, hoping to strongarm you into paying a ransom for some sort of deactivation code that will give you back control of your computer.
Either way, rebooting might do the trick, but not if the errant software loads up before you have time to intervene and uninstall it.
If that happens, you may get stuck in an infinite loop of reboot-freeze-reboot-freeze.
Fortunately, most desktop operating systems have a way around this: if all else fails, you can use a special boot CD or USB key, such as Sophos Bootable Anti-Virus, to restart your computer without running any software from your hard disk at all.
→ You can see the clean boot technique in action removing the infamous Reveton ransomware from a Windows PC in a Naked Security video published on the SophosLabs YouTube channel.
Not all faults or infections can be sorted out like this (for example, if you have a failing hard disk, or malware that scrambles your files, like CryptoLocker).
But if all that’s in the way is a dodgy program that loads up early and then protects itself from being uninstalled, a clean boot can work wonders.
What about Android?
The question is, however: what about Android devices?
With fake anti-virus and “police warning” ransomware now a real-world threat on Android, it’s not impossible that you might be faced with just this sort of problem on your phone or tablet: a working device, but where the only usable app is asking you to pay $300 to make it go away.
Here’s the “police warning” ransomware known as Andr/Koler-A, for example, trying to squeeze you for a $300 MoneyPak voucher in return for uninstalling itself:
Koler effectively locks your phone with a pop-over browser window, like the one you see above, that quickly reappears if you try to get rid of it.
The continually reappearing pop-over window makes it as good as impossible to get into the Settings menu to remove the malware, and a plain reboot won’t help, because the malware comes back to life early in the restart.
But you can’t reboot your Android from a CD or USB key, so what to do?
Android “Safe Mode”
Here’s a technique that may get you out of trouble.
It might not always do the trick, but (at least on recent versions of Android) it has three handy benefits:
- It doesn’t require any special technical skills to carry out.
- It doesn’t require you to have installed any special software before the problem happened.
- If it doesn’t work, you can go back to where you were and be no worse off than you were before.
It’s called “Safe Mode,” and it’s similar to safe mode in Windows, where your system starts up without loading any third-party add-ons.
In theory, if your phone isn’t rooted (i.e. you haven’t deliberately modified it so apps can be promoted to run with root, or system-level privilege), then no third-party apps you have installed should be able to trick the system into loading them in Safe Mode.
So booting into Safe Mode means you should always be able to get into the list of downloaded apps, malware or not, and remove unwanted ones.
(If a malware app doesn’t launch in the first place, it can’t fire up any active “anti-anti-virus” protection to shield itself from uninstallation.)
Booting into Safe Mode
Life would be much easier if all vendors had agreed on a standardised way to engage Safe Mode, preferably from a cold restart (i.e. after a power-off).
But they haven’t, so you will have to plough through the techniques below until you find one that works for your device/version combination.
(Reported to work on Google devices and various Android Open Source Project, or AOSP, derivatives like CyanogenMod.)
- Press and hold the power button as you would to power down or reboot.
- A menu will pop up.
- Tap and hold the “Power off” option.
- If nothing happens try the same with “Reboot”.
- A dialog should appear offering you to reboot in Safe Mode.
(Reported to work on Samsung Galaxy S4.)
- Power down.
- Turn on and repeatedly tap the soft-button for “Menu.”
(Reported to work on Samsung Galaxy S3 and others)
- Power down.
- Turn on, then press and hold Volume Down (Galaxy S3 and others), Volume Up (HTC One and others), or Volume Down and Volume Up together (various Motorola devices) when the vendor’s logo appears.
If you have managed to select Safe Mode, you will see the text “Safe Mode” at the bottom left corner of the screen.
To get out of Safe Mode, try simply rebooting.
If that doesn’t work, try rebooting using one of the button-press options listed above, starting with the one you used to engage Safe Mode in the first place.
What to do when “Safe Mode” is active
Here’s a practical example, removing the abovementioned Koler malware from an infected Android tablet.
This variant of the malware installs itself under the name BaDoink (apparently the name of a well-known online porn service), like this:
After booting into Safe Mode, third-party apps will no longer show up on the Apps page, as you can see here:
Go instead to the Settings menu and choose Apps:
This will bring up a list of downloaded (third-party) apps, including the Koler-infected BaDoink:
Tap on BaDoink; this won’t run it, but will open up the program’s App Info screen:
Tap on Uninstall, and you are almost home:
Choose [OK] to uninstall and you are done.
You may now reboot out of Safe Mode.
Hope this helps!
Oh, and in case you were wondering, Sophos Free Anti-Virus and Security for Android will help you stop getting infected in the first place by blocking the app before it runs for the first time.
73 comments on “First Aid for Android: How to unlock your ransomed phone”
Sony’s method is to go to the Power off screen then press and hold the “power off” text. A dialog box should appear asking whether you want to reboot to safe mode.
I originally had both “Power Off” and “Reboot” listed; will go back to how it was 🙂
When I go to the virus (which says it is a System Update) it says it cannot download because it is a device administrator.. then when I go to manage device administrators, it says “No device administrators available” What do I do? o_o
In safe mode go to Settings > Security > Device Administrators. The ‘System Update’ should be ticked. Untick it. Then go back and uninstall it.
Hey I tried that it kicks me out help!! Soon as I hit deactivate booms boots back to random page
Same problem with me help I’ve looked everywhere
I have a galaxy s2 and got the cyper police virus locked me out. Went into safe mode and under settings- app manager- download, found a file called settings. Even with the widget graphic looked the same as androids.Seemed odd so deleted it and all is well. So cyber police virus is now called settings.
Firstly Thanks Paul for your lovely help. I just got the cyber police virus on my samsung galaxy s2. Started the phone in safe mode as per your instructions above (i had to keep the volume down key pressed once the phone restarts and the logo shows). I couldnt locate the kooler malware (Ba Doink file) but as Michael said it probably was named ‘settings’ so i looked into settings-app manager-download- and found a file ‘system update’ and uninstalled that. I restarted it and so far so good. Ive installed SOPHOS and am doing a scan right now..
Wow, I wrestled all night with my Note 3. I’m the dummy who accepted the program that locked up the phone. ‘Click on this so you can …’
Anyway; I knew I had to get to Settings or ???… before the male-ware kicked in. When I read your 1st suggestion it made so much sense. I had to do it several times because i was too slow. Then, ‘Power Off’ didn’t work. The first time I did it and hit ‘Restart’ I was in; ‘Safe-Mode’…. I cleaned so much garbage out of my phone, it’s running like new. It was sitting in settings on the app page as “PORN”…. I deleted the cache, then the program and uninstalled it… It asked me if I wanted replace it with the factory setting. I don’t remember the exact setting but, ‘It Is,’ in the start-up menu. So it hijacked a start up program and replaced it with, “PORD. Dummy / click on this.” There’s even a way to close ‘Safe Mode’ w/o pulling the battery but I pulled the battery to get a fresh reboot. Done… Thank you.
This works on Xperia Z running 4.4.4
For Xperia Z Power down,turn on & hold volume down button.
On a Nexus 7 running Android 4.4 you hold the power button until the menu appears. Then you tap-hold the “Power off” menu item until the “Reboot to safe mode” menu appears.
Just to point out running a Nexus 5 stock rom (rooted) there is no Reboot option in the power menu popup. However if you press and hold the ‘Power Off’ you get the same option to reboot to Safe mode. The reboot option is in Cyanogenmod roms.
Nexus 5 Stock Rom Instructions
Press and hold the power button as you would to power down or reboot.
A menu will pop up.
Tap and hold the ‘Power Off’ option.
A dialog should appear offering you to reboot in Safe Mode.
See reply to first comment above…
For my stock Samsung Galaxy Nexus on Verizon’s network (4.2.2), you hold down the power button to get the menu, then long tap the Power Off option to get the prompt to select a Safe Mode reboot.
what if you rebooted your phone before putting it on safe mode?
Galaxy S2 (Android 4.1.2): Power on while pressing (and holding) the soft menu button, until “safe mode” appears on screen
Its not working for my S2 is there a reason why ??
the first method also works on a LG G2 (D802)
The first method works fine on a Galaxy S4, 4.4.2, Verizon.
if you know the apk name and USB debugging is turned on, you can use adb command
“adb uninstall ‘packagename’ ”
facebook for example
“adb uninstall com.facebook.android”
*If* USB degbugging is turned on. I’d say it’s unwise to leave it enabled unless you really need it, and I’d guess that very few people have it turned on routinely. (Indeed, Sophos Anti-Virus for Android’s “Security Advisor” feature will very handily remind you if you leave it on.)
Also – I haven’t tried this, so I’m just speculating – if you have the USB debugging notify option turned on, so that a pop-up appears on the device when you try to connect, the malware might get in the way of tapping [OK].
(I recommend using USB debugging notify so that if you leave the adb server running on your computer by mistake, which is easy to do, you don’t accidentally set up adb connections every time you plug in your Android, e.g. to charge it.)
Can you use this method to get rid of “crapware ” preinstalled on Android phones by vendors? I consider these nearly as offensive as a virus.
I think the answer is “it depends.”
You can remove system apps with a utility like Titanium Backup, but I think you need a phone that can be rooted (configured to give apps of your choice superuser powers).
Try it and see what apps are uninstallable from a Safe Mode boot!
Test your phone eary to know how to enter safe mode. It’s true that it is not only depending on manufacturer vut also on device model.
On Samsung Galaxy S3, the power off menu proposes “power off” and “reboot” but form there there’s no action at all to reboot in safe mode (even in the latest official firmware release): long press on the menu option does not propose it.
The only way is to power off completely and then power on, and press the “volume down” button immediately as soon as you see the animated Samsung logo, and maintain that “volume down” button pressed until you see the “safe mode” desktop (you’ll also see that all default apps built in the firmware will be deactivated and they will be reloaded and reinstalled cleanly from the official Google Store (if they have not signaled been blocked locally on that store).
That “safe mode” (which may be also translated such as “Mode sécurisé” on French models), does not allow you to start any additional app.
All you can do there is to go to the builtin “Parameters” application, from where you can access to the “Application manager” where you’ll see the list of downloaded apps (you can unly uninstall them).
You can still access to the Google Play store to perform updates for your apps (but you cannot run them). This can be useful also for reinstalling damaged applications (they have been damaged/corrupted by malwares):
That store will also inform you if there are applications that have been banned there and Google Play will instantly propose you to remove them.
Then go to the “My Files” application to see additional garbage that may remain in subfolders (note: this showns not only all other dowloaded app packages, but also the real content of your folders for photos, musics, videos, desktop images, ring tones… (unfortunately there’s no way to start in this safe mode any installed antivirus.
Frequently the malwares are storing additional files or storing logs and configuration data or spied data in these default folders, you don’t see them in normal mode as these default folders are filtering the content to show only specific media types.
On Galaxy S3, there’s another option during power on to enter “root mode” (it is only used to install a new firmware), also by pressing and maintaining the volume button and the menu button as soon the Samsung logo animates.
When you have finished the cleanup, power on and reboot in normal mode to use again your remaining apps.
On the Galaxy S3 (Verizon), if you press and hold the power button to bring up the menu, then long tap on the Power Off option, it prompts you about entering Safe Mode. I should note that the phone is rooted, but still has the latest Verizon firmware installed (no mods).
I have s3 n nothing is working at all
How do you get the FBI money pak virus off of a Motorola smart phone? the battery does not come out and I cannot get the power down button to do any thing?
how will I do it on my Samsung at& ?
I have a Samsung galaxy note 3. If you power on and wait just before it powers all the way up and press
the “volume down” button, it will start in safe mode.
same with a lg g vista.. thank u been trying to get this off my phone for three months an i only had the phone for a few weeks before it happen and i couldnt even turn my phone on without that screen poping up … so thanks this saves my phone
How is it done with a Moto G phone?
If I press anything, nothing comes on the sreen. U can hear certain things tho. I’m so pissed, I havent had this phone a month yet……..
Thank You so much
This works on lg phones the optimum
Especially do not stress on this I did thought I would have to pay the fee but did not phone works all new now
What did you do?
This worked GREAT on my Android Note 4… Thanks!
How do I know if virus is gone
Well…you could install Sophos Free Anti-Virus and Security for Android and do a scan 🙂
Link is in the Free Tools sidebar at the right hand side…
Well, I opened in SAFE mode, but after checking out all of the Apps on my S3, nothing even remotely suggested a malicious nature. I downloaded SOPHOS, ran the scan and found Flashplayer-2.apk (Andr/Generic-S)and vidoes.apk (Andr/Koler-C)…so SOPHOS scanning located what I couldn’t.
After uninstalling, my browser is up and running fine.
I can’t run a scan with the Sophos app through safe mode. When I turn safe mode off a screen pops up telling me to activate flash player and it wont go away. I cant get to my app store to run the Sophos app.
Hi, sorry to hear you’re having trouble. We can’t offer product support here but I would recommend you try the support forum: http://openforum.sophos.com/t5/Sophos-Mobile-Security-for/bd-p/SMS_Android
yea my lg phone gets stuck at the lock screen in safe mode for about 10 seconds then shuts off,leaving me to deal with a virus
i was able to get my phone into safe mode as well, but the uninstall button doesn’t light up, and so i can’t delete it. i even tried to delete the app through app, and holding it, and sliding it into the uninstall up at the top, but that doesn’t work any better. the app is porn player. maybe it has to do with what kind of porn app the phone downloaded.
Did you check out the additional advice here:
Some more recent Android lockscreen malware deliberately makes itself harder to remove by turning off [Uninstall]. The above article gives one possible way around this. Might not work, but worth a try before you reflash your whole device 🙂
If that doesn’t work, you could try the online support forum for Sophos Free Anti-Virus and Security for Android…head here:
My safety mode is on, but i cant access my downloaded
logged on in safe mode and looked in settings but cannot identify “rougue” app.
i am in safe mode and removed all downloaded apps that I did not recognize yet the virus still has me locked out… i am very close to just doing a hard reset and losing all my pictures… Stupid hacker idiots should be hung by their toes and eaten by fire ants very slowly… they are messing with a lot of people that cant afford to just replace their stuff!
On Google Nexus tablet with Chrome browser locked by malware popup, I did not see any third party apps, so I selected ‘uninstall updates’ to Chrome which reset the app back to the factory version and this fixed the problem. Thanks.
hi paul ducklin, when i enter into safe mode on sony xperia m2 Aqua it shows enter possword, i think hackers locked possword to avoid safe mode process
The uinstall button is not working for this app which appears under Brower update ont phone and makes the police warning issue.
I am on safemode but not being able to unistall the malware.
How can I uninstall when uninstall option is not available for this app. Not even force stop available.
when safemode was active the porn app didnt give anunistall option
How do you get rid of the virus on Htc One X? Please help!
Guys I need help my phone got blocked and I can’t use it and safe mode won’t activate either please I need help
any advice how to do this on amazon fire phone please
method 2 works on galaxy centura tracfone! thank you!
I have a ransomware on my SG4 called droidprotectdevice and can not detect it in downloaded apps while in safe mode. I have followed the process described and can not find anything out of ordinary in my apps. Ransomware only blocks when doing an internet search in google. Doesn’t block in Chrome search. Please advise.
Followed your instructions and it worked. It feels good to be in control of my phone again. Thank!
I didnt see any app that was called badoink.. is there any other name for it.
Samsung galaxy s3.I went to applications manager →downloaded→uninstaled a couple of apps one was talksport the other 2 were smart care and bbc iplayer ,it must have been disguised as one of them as couldn’t see badoink in apps .working ok now.
I had the police warning about virus. I paid money by voucher. I rebooted the tab but virus was active. at that time I did not know what to do. so I broke the tab. after 7 days will there problem from police. please give advice in this difficult situation.
My uncle encountered a very similar virus/ malware on his Samsung Galaxy tab 10.1. He is in the UK, so the website that waste plastered on the screen was ‘Cheshire Police’. It was very simple to remove.Reboot into Safe Mode and then look into the app drawer. The developer of this ransomware cleverly hid the app as “Update” with the Android logo, so I didn’t catch it the first time around. Simply remove the app and reboot. The ransomware is gone.
The developer of this ransomware cleverly hid the app as “System Update” with the Android logo, so I didn’t catch it the first time around. Simply remove the app and reboot. The ransomware is gone.
mnay thanks to Waxsta
Just a note for those who can’t see the power off/reboot screen. On my HTC EVO, I held the power button until the phone rebooted. As it was powering back on, I held both the volume up and volume down button until it booted into safe mode. google boot HTC into safe mode.
Awesome. Thank you. Wouldn’t love to know who this arsehoes were. Had this issue on my Galaxy Tab 2. Followed the instructions and it is gone. Pretty simple to do. Like one or two others though, the app was ‘disguised’ as an update so took a little finding.
I have re-booted in safe mode but my tablet is tuck on the “complete action using” then theres launcher and a app I didn’t download called “Apus” and it will not let me go to settings, what do I do?
Hi I’m using an ANDROID PHONE, I’m not sure how but my guy mate downloaded PC games using my phone, when I got my phone back from him, THIS FAKE SYSTEM UPDATE kept popping up on my notifications screen. I’ve tried what you have said, I’m in safe mode, I’ve looked for the fake system update on my apps page but its not there. I can’t get rid of it, please help me. This fake system update has made all my other apps and phone settings go haywire on me.
when I go into safe mode on sony xperia m2 Aqua shows entering a password, I think the hacker locked password to avoid the process safe mode
Ummm…. it isn’t badoink
I think I just got lucky with a slightly different varient today. A client turns up with an Australian Federal Police branded version on his Galaxy Tab 8.0 (GT-N5150). After a bit of research I go into safe mode, find the offending App (ironically named “System Update” … keep reading before judgng me) but Uninstall is greyed out. Go to Security –> Device Admins and there is nothing other than Android Device Manager listed.
Poke around for a few hours on and off, then think to try an actual System Update. There is one available so I download and run it – gets lucky (?). Now on Android 4.2.2 (no idea what it was on when it was originally handed to me – whatever it shipped with I expect)
This doesn’t disable or remove the offending malware, but does force the App name into the Device Admins list.
From there, proceeded as above; back into safe mode, deactivating the device admin feature for the app allowed it to be successfully uninstalled.
Happy me, happy customer. Hope this helps someone. A thought … is there a way to force the list of Device Admins to be refreshed/re-enumerated some other way?
Hi! I’m using android phone(lenovo) and how do I getting rid of the virus or malware from my phone as it always stucked with an infinite loop of reboot-freeze-reboot-freeze when I lock ups(opened) my phone. Is there any chance for my phone to get rid of it? Or it has another way for it?
Thank you so much! I have a Galaxy On5 and I picked up a ransom ware that locked my screen. Your advice to hit the down volume key during boot up to put it into safe mode worked. I then easily removed the malware and my phone is working normally now. Again, THANK YOU!
i just got hit with this not even 15 minutes ago and it changed my password to a pin and i have no clue how to unlock it. (im already in safe mode i just cant unlock my phone now) please help……..