Sophos Cloud Optix
SophosLabs just alerted us to yet another example of Android ransomware.
Ransomware is the stuff that locks up your computer or phone with a pop-up that covers all your other apps, and sometimes even scrambles your data files.
What we’re talking about here is extortion or demanding money with menaces.
That’s because there’s a secret code that can unlock your phone, or decrypt your files, but only the crooks have it (or so they say).
If you want a copy of the recovery code, you have to pay.
The “fees” vary, from tens to hundreds, sometimes even thousands, of dollars.
Usually, payment is by some largely anonymous and irreversible mechanism, such as Bitcoin or a Moneypak voucher.
A persistent threat
Ransomware has been a persistent threat on desktop and laptop computers for several years.
The best-known example of lock-out malware is Reveton, which freezes out all other programs on Windows, including Task Manager, groundlessly accuses you of a crime (usually relating to piracy or pornography), and invites you to pay about $300 to make the “charges” go away.
And the best example of file-scrambling malware is CryptoLocker, which leaves your computer unlocked and running fine, but scrambles all your files with a strong cryptographic algorithm, before asking you for $300 for the decryption key.
→ The operational heart of the CryptoLocker malware, which relied on servers run by the crooks to produce and distribute a unique pair of encryption/decryption keys for each victim, was nobbled in a recent takedown operation driven by US law enforcement. Sadly, other malware has risen to take its place, because law enforcement can’t prevent people from getting infected by future variants, but the takedown was nevertheless an impressive and disruptive result.
With millions of ransom dollars, probably even hundreds of millions, already squeezed out of hapless victims around the world by desktop and laptop malware, it’s hardly surprising to see the crooks increasingly turning their malevolent attention to mobile devices.
This latest Android ransomware reported by SophosLabs follows a familiar theme, very much like the Koler malware we wrote about in May 2014.
But the new malware has a slight sting in the tail that Koler didn’t, making it trickier to remove.
So we thought we’d take you swiftly through the clean-up process.
FBILock-A
The malware, identified by Sophos as Andr/FBILock-A, masquerades as a Flash Player app:
Android doesn’t have Flash support, and even Adobe’s own Flash Player is no longer available as an add-on in the Play Store.
So this is may well seem like an enticing extra, and one for which you would expect to have to enable “Allow apps from unknown sources.”
On opening the app, it pops up a request to become a Device Administrator:
This is an official feature in Android intended to make the platform easier to control (and thus more likely to win acceptance) on a business network.
Ironically, a Device Administrator (DA) app is meant to be more secure than its vanilla counterparts, because a DA app can subscribe to centrally defined policies that enforce configuration settings such as minimum password length, data encryption and use of the camera.
Once launched, whether you allow the app to assume its requested DA powers or not, Andr/FBILock-A soon lives up to its name:
The extortion demand comes as soon as you tap PROCEED:
It is now very difficult to do anything with your phone, because the menaces screen keeps popping back up over whatever apps you try to run, including Settings, which you’d usually use to stop and get rid of misbehaving apps.
Using Safe mode
As we explained before, when showing you how to remove the Koler malware, you can get control back over your phone by using Safe Mode.
The mechanism for enabling it varies by device; one common way is to hold down the Power button; then tap and hold Power Off; then tap [OK] at the Reboot to safe mode dialog.
When Safe Mode is visible at the bottom left of your screen, apps that you’ve added to your phone shouldn’t be running, so FBILock can’t pop up to protect itself from removal.
But when you head to Settings | Apps and tap on the fake Flash Player icon, you’ll see that the Uninstall option is greyed out:
You need to head to Settings | Security and go into the Device administrators screen:
Tap on the FBILock app and you will be able to deactivate its administrative powers:
Now go back into the Settings | Apps page for the malware app, and the Uninstall button should be ready and waiting for you to use it:
Uninstall the app, and you just saved yourself $300 and a trip to the convenience store to buy that Moneypak card.
Next steps
Why not do either or both of these:
- Head back to Settings | Security | Device Administrator and turn Unknown sources off.
- Head to Google Play and get your free copy of Sophos Anti-Virus and Security for Android.
Image of handcuff silhouette courtesy of Shutterstock.
Safe mode on Moto G:
A.Hold turn off
B.Turn on with volup+voldown pressed down just after screen turns on!
well you can wipe it
Great post! I’ve been learning Android administration just by reading your posts.
Would plugging the phone into a computer, and deleting the app via a file manager work? (My phone has no safe mode feature–2.3.4–yep, it’s old)
if you have android sdk and rooted phone , you can do it not otherwise.
normal file manager will display contents from sdcard
its time to get a new phone my friend
Explanations were very understandable — i.e., in lay language. Thank you!
Have encountered an even trickier version of this ransomware on a customer’s ASUS TF101 (Android 4.0.3). There were NO Device Administrators at all, so there was no way to Deactivate. Adobe Flash 11 was already installed and appeared to be legit, including ability to Uninstall (not grayed out). There were a couple of apps that had the Uninstall grayed out (HDPorn and another app, I am not very helpful here because I cannot find my notes from earlier today…) In Safe Mode, all of the 3rd Party Apps appeared to be listed in Alphabetical order rather than chronologically. Only thing I could do for this customer was to reset back to factory state and then install Sophos Mobile Security for Android.
Hi Dave,
Have you seen any solution other than factory reset? I have a Sony Tablet S. I’m able to access file manager from the safe mode- so, if I knew what to look for I could delete it.
What a shame there is no Sophos Anti-Virus and Security for Windows phone.
I like how this is the first time someone mentioned the possibility that the uninstall would be greyed out- because most people would look there first. -so that’s greyed out on the lastest version scamming as adobe flash- but what do you do when it will not allow you to remove it as an administrator- because the the new code pops up a box that says- system application could not be removed” so you cannot use that method. Any new ideas, other than factory reset- which I might add would be the absolute last resort for most people. I have a Samsung note 2
all i did was take battery out put it back in, as soon as screen came back disabled data and turned on airplane mode then followed the above step
This is super helpful. it might be confusing but this is the best way to do this and not have to pay some website to do it for you. if you focus then it isn’t that confusing
I have the ransom fbi virus on my samsung note 3. I had no problem doing all the above as far as getting to the areas needed but did not find any unknown apps or flash. I ran my norton mobile and avast mobile and neither found any virus but yet I still have the fbi ransom screen. This virus is not detectable. Anyone have any ideas on how to proceed short of a hard reset?
I really hope you get this soon. When I go to device administrators it shows the update video player and when I uncheck the mark it gives me the option to deactivate. But when I press it says system applications could not be removed. I click ok then it does nothing. So I’m back to square 1 in safe mode what to do???
wheni reboot in safe mode and go to settings the infected app will not uninstall
You didn’t say if you checked if the malware was installed as a “Device Administrator.”
Thanks for the wonderful post, Paul.
BTW, what’s the MD5 hash of this version? I want to share this process with hands-on experience. But, I can only find the older Andr/Koler-A version or more evil version as “Dave Duke SF” described above…
i have a huawei and no safe mode is there another way
I had to destroy my Samsung gal.!!
I deleted it from downloaded apps in my AVG (free) and turned it off – it was gone when I turned it on in the morning and everything worked normally.
For some reason it will not let me delete adobe as admin it all goes as u stated but it then just stays on a white screen saying admin will be deactivated but doesn’t do anything else
This is my 2nd Samsung Galaxy phone and I just think I just wait till they get this ransome ware fixed before I get another one I go back to low tech. It not so costly.
As of Feb 25, 2016 it’s called app source under applications manager
The virus is not appearing in Device administrators
Thank you for this post, it helped me remove this pesky virus. Still cannot believe it was so easy to lose _complete_ control over my phone. Followed your steps and got rid of it in 20 mins – thank you!
For anyone coming here with the same problems – in my case the app had a clever important-sounding name – “System update” (as of 18.04.2016) and did not allow an uninstall from app manager so you have to go through security -> device admins and cut off it’s admin powers.
Thanks again for this helpful post!
How to get rid of police cyber scam and not lose my applications
Help …got a new Samsung Galaxy S6 in May…and this just happened to me today…FBI locked…I could not imagine the craziness…knew it must be hijacked…but now I cannot figure it out…my phone will not close or open just stays on the same screen locked…
Did you find out how to get past the screen im having the same problem
I have an adroid HTC DESIRE626s and its infected by the fbi malware virus but it will not allow me to view anything else but the “fbi” page. How can i restart my phone if virus is blocking me
I cannot get my phone in safe mode. I can’t take the battery out (note 5) and my phone is completely locked by this virus. Everything is overridden by the virus or FBI app. Any help in getting my device in safe mode, or turned off? Or whatever I need to. I’m with DEVEN & John above, probably more. I can’t even get to safe mode. Any help would be greatly appreciated. Thanks! 🙂
I had that FBI ransom virus and attach told me to do a hard reset with volume up power button thing well after the reset it will get to the Google part but no further. Says password is wrong and won’t let me skip that ssection on my Samsung phone.
I recently got this virus on my Samsung Galaxy S6 Active, and the virus has overridden everything, I can’t even turn off my phone. I can’t take the battery out of an S6 Active either, what do I do?