Android "FBI Lock" malware - how to avoid paying the ransom

Filed Under: Android, Featured, Google, Malware, Ransomware

SophosLabs just alerted us to yet another example of Android ransomware.

Ransomware is the stuff that locks up your computer or phone with a pop-up that covers all your other apps, and sometimes even scrambles your data files.

What we're talking about here is extortion or demanding money with menaces.

That's because there's a secret code that can unlock your phone, or decrypt your files, but only the crooks have it (or so they say).

If you want a copy of the recovery code, you have to pay.

The "fees" vary, from tens to hundreds, sometimes even thousands, of dollars.

Usually, payment is by some largely anonymous and irreversible mechanism, such as Bitcoin or a Moneypak voucher.

A persistent threat

Ransomware has been a persistent threat on desktop and laptop computers for several years.

The best-known example of lock-out malware is Reveton, which freezes out all other programs on Windows, including Task Manager, groundlessly accuses you of a crime (usually relating to piracy or pornography), and invites you to pay about $300 to make the "charges" go away.

And the best example of file-scrambling malware is CryptoLocker, which leaves your computer unlocked and running fine, but scrambles all your files with a strong cryptographic algorithm, before asking you for $300 for the decryption key.

→ The operational heart of the CryptoLocker malware, which relied on servers run by the crooks to produce and distribute a unique pair of encryption/decryption keys for each victim, was nobbled in a recent takedown operation driven by US law enforcement. Sadly, other malware has risen to take its place, because law enforcement can't prevent people from getting infected by future variants, but the takedown was nevertheless an impressive and disruptive result.

With millions of ransom dollars, probably even hundreds of millions, already squeezed out of hapless victims around the world by desktop and laptop malware, it's hardly surprising to see the crooks increasingly turning their malevolent attention to mobile devices.

This latest Android ransomware reported by SophosLabs follows a familiar theme, very much like the Koler malware we wrote about in May 2014.

But the new malware has a slight sting in the tail that Koler didn't, making it trickier to remove.

So we thought we'd take you swiftly through the clean-up process.


The malware, identified by Sophos as Andr/FBILock-A, masquerades as a Flash Player app:

Android doesn't have Flash support, and even Adobe's own Flash Player is no longer available as an add-on in the Play Store.

So this is may well seem like an enticing extra, and one for which you would expect to have to enable "Allow apps from unknown sources."

On opening the app, it pops up a request to become a Device Administrator:

This is an official feature in Android intended to make the platform easier to control (and thus more likely to win acceptance) on a business network.

Ironically, a Device Administrator (DA) app is meant to be more secure than its vanilla counterparts, because a DA app can subscribe to centrally defined policies that enforce configuration settings such as minimum password length, data encryption and use of the camera.

Once launched, whether you allow the app to assume its requested DA powers or not, Andr/FBILock-A soon lives up to its name:

The extortion demand comes as soon as you tap PROCEED:

It is now very difficult to do anything with your phone, because the menaces screen keeps popping back up over whatever apps you try to run, including Settings, which you'd usually use to stop and get rid of misbehaving apps.

Using Safe mode

As we explained before, when showing you how to remove the Koler malware, you can get control back over your phone by using Safe Mode.

The mechanism for enabling it varies by device; one common way is to hold down the Power button; then tap and hold Power Off; then tap [OK] at the Reboot to safe mode dialog.

When Safe Mode is visible at the bottom left of your screen, apps that you've added to your phone shouldn't be running, so FBILock can't pop up to protect itself from removal.

But when you head to Settings | Apps and tap on the fake Flash Player icon, you'll see that the Uninstall option is greyed out:

You need to head to Settings | Security and go into the Device administrators screen:

Tap on the FBILock app and you will be able to deactivate its administrative powers:

Now go back into the Settings | Apps page for the malware app, and the Uninstall button should be ready and waiting for you to use it:

Uninstall the app, and you just saved yourself $300 and a trip to the convenience store to buy that Moneypak card.

Next steps

Why not do either or both of these:

Free download (no registration, no time-limit)...

Image of handcuff silhouette courtesy of Shutterstock.

, , , , , , , , ,

You might like

20 Responses to Android "FBI Lock" malware - how to avoid paying the ransom

  1. Safe mode on Moto G:
    A.Hold turn off
    B.Turn on with volup+voldown pressed down just after screen turns on!

  2. Laurence Marks · 445 days ago

    Great post! I've been learning Android administration just by reading your posts.

  3. Jon · 445 days ago

    Would plugging the phone into a computer, and deleting the app via a file manager work? (My phone has no safe mode feature--2.3.4--yep, it's old)

    • Anonymous · 445 days ago

      if you have android sdk and rooted phone , you can do it not otherwise.
      normal file manager will display contents from sdcard

    • Anonymous · 377 days ago

      its time to get a new phone my friend

  4. J. E. Seymour · 444 days ago

    Explanations were very understandable -- i.e., in lay language. Thank you!

  5. Dave Duke SF · 435 days ago

    Have encountered an even trickier version of this ransomware on a customer's ASUS TF101 (Android 4.0.3). There were NO Device Administrators at all, so there was no way to Deactivate. Adobe Flash 11 was already installed and appeared to be legit, including ability to Uninstall (not grayed out). There were a couple of apps that had the Uninstall grayed out (HDPorn and another app, I am not very helpful here because I cannot find my notes from earlier today...) In Safe Mode, all of the 3rd Party Apps appeared to be listed in Alphabetical order rather than chronologically. Only thing I could do for this customer was to reset back to factory state and then install Sophos Mobile Security for Android.

    • Hi Dave,

      Have you seen any solution other than factory reset? I have a Sony Tablet S. I'm able to access file manager from the safe mode- so, if I knew what to look for I could delete it.

  6. Paul Williams · 428 days ago

    What a shame there is no Sophos Anti-Virus and Security for Windows phone.

  7. stevie · 364 days ago

    I like how this is the first time someone mentioned the possibility that the uninstall would be greyed out- because most people would look there first. -so that's greyed out on the lastest version scamming as adobe flash- but what do you do when it will not allow you to remove it as an administrator- because the the new code pops up a box that says- system application could not be removed" so you cannot use that method. Any new ideas, other than factory reset- which I might add would be the absolute last resort for most people. I have a Samsung note 2

  8. me · 360 days ago

    all i did was take battery out put it back in, as soon as screen came back disabled data and turned on airplane mode then followed the above step

  9. Anonymous · 318 days ago

    This is super helpful. it might be confusing but this is the best way to do this and not have to pay some website to do it for you. if you focus then it isn't that confusing

  10. · 296 days ago

    I have the ransom fbi virus on my samsung note 3. I had no problem doing all the above as far as getting to the areas needed but did not find any unknown apps or flash. I ran my norton mobile and avast mobile and neither found any virus but yet I still have the fbi ransom screen. This virus is not detectable. Anyone have any ideas on how to proceed short of a hard reset?

  11. luke · 292 days ago

    I really hope you get this soon. When I go to device administrators it shows the update video player and when I uncheck the mark it gives me the option to deactivate. But when I press it says system applications could not be removed. I click ok then it does nothing. So I'm back to square 1 in safe mode what to do???

  12. Marcus.S · 220 days ago

    wheni reboot in safe mode and go to settings the infected app will not uninstall

    • Paul Ducklin · 220 days ago

      You didn't say if you checked if the malware was installed as a "Device Administrator."

  13. Joonsoo Kim · 203 days ago

    Thanks for the wonderful post, Paul.

    BTW, what's the MD5 hash of this version? I want to share this process with hands-on experience. But, I can only find the older Andr/Koler-A version or more evil version as "Dave Duke SF" described above...

  14. hunter · 81 days ago

    i have a huawei and no safe mode is there another way

  15. Anonymous · 40 days ago

    I had to destroy my Samsung gal.!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog