The Rise of Android

Ransomware

Document version:
1.0

Authors:
Robert Lipovský, Senior Malware Researcher
Lukáš Štefanko, Detection Engineer
Gabriel Braniša, Malware Researcher
 The Rise of Android Ransomware

Contents

Summary.................................................................................................................................. 3

Ransomware on Android................................................................................................. 3

Common infection vectors................................................................................. 4

Malware C&C communication......................................................................... 4

Malware self-protection...................................................................................... 5

Android ransomware chronology................................................................................ 6

Android Defender.....................................................................................................7

Ransomware meets fake AV, meets…porn................................................ 8

Police ransomware............................................................................................... 10

Simplocker..................................................................................................................11

Simplocker distribution vectors.........................................................12

Simplocker in English.............................................................................. 13

Lockerpin....................................................................................................................14

Lockerpin’s aggressive self – defense..............................................16

Jisut...............................................................................................................................16

How to keep your Android protected.......................................................................18

2
 The Rise of Android Ransomware

SUMMARY RANSOMWARE ON ANDROID

Ransomware is a growing problem for users of mobile devices. Lock- Ransomware, as the name suggests, is any type of malware that
screen types and file-encrypting “crypto-ransomware”, both of which demands a sum of money from the infected user while promising
have been causing major financial and data losses for many years, have to “release” a hijacked resource in exchange. There are two general
made their way to the Android platform. categories of malware that fall under the “ransomware” label:

Like other types of Android malware – SMS trojans, for example – • Lock-screen ransomware
ransomware threats have been evolving over the past few years and
malware writers have been adopting many of the same techniques that • Crypto-ransomware
have proven to be effective in regular desktop malware.
In lock-screen types of ransomware, the hijacked resource is access to
Both on Windows and on Android, lock-screens are nowadays usually the compromised system. In file-encrypting “crypto-ransomware” that
of the “police ransomware” kind, trying to scare the victims into hijacked resource is the user’s files.
paying up after (falsely) accusing them of harvesting illegal content on
Both types have been a very prevalent problem on the Windows
their devices. Likewise, as with the infamous Windows Cryptolocker
platform since 2013, when ransomware started to increase in popularity
ransomware family, crypto-ransomware on Android started using
among cybercriminals, even though it had been around for many years
strong cryptography, which meant that affected users had no practical
before. Ransomware infections have been causing trouble both to
way of regaining the hijacked files. And because everyday data, such as
individuals and to businesses.
photos, for example, are now kept on smartphones rather than PCs by
so many people, the threat of losing this data is now greater than ever.
Since one of the most noticeable trends in regard to Android malware
is that malware writers have been bringing to this platform malware
One interesting observation that we have made is that the attackers’
techniques that have proven to be successful on Windows, the
center of focus is no longer only Eastern European countries. A number
appearance of ransomware on the most popular mobile platform was
of recent families, such as Android/Simplocker and Android/Lockerpin,
logical and anticipated.
for example, have been targeting victims mostly in the USA.

In the first part of the paper, we provide a definition of ransomware,

take a look at ESET’s detection telemetry to see how widespread the
threat is, and analyze malware specifics that apply to ransomware
on Android. The main section details the most noteworthy Android
ransomware examples from the past three years. Finally, we give take-
home messages and advice for Android users.

3

Fig. 1: Android ransomware detection trend, according to ESET LiveGrid®
With consumers switching more and more from PCs to mobile, more
and more valuable data are being stored on these devices that devices,
which leads to the fact that more and more valuable data is being
stored on those devices that all of us carry around, Android ransomware
is becoming ever more worthwhile for attackers.
COMMON INFECTION VECTORS
Android malware – ransomware as well as most other types – typically
fulfils the definition of a trojan horse: it spreads by masquerading as a
legitimate application. Popular applications, such as trending games or
pornography-related apps, are often chosen in order to increase the
likelihood that the victim will download the malware. In some cases,
the malicious APKs bear only the name and icon of the legitimate
application, whereas in other cases, malware writers take existing
applications and add malicious code, keeping the original functionality.
For malware that doesn’t inherently rely on a visual manifestation
like ransomware does (backdoors or SMS trojans, for example), this
The Rise of Android Ransomware
increases the chance that the malicious behavior will go unnoticed.
Of course, since such modification would break the digital signature
of the package, it has to be re-signed and submitted under a different
developer account than the original.
None of the ransomware examples described later in this paper have
been found on the official Google Play store. However, there have
been numerous cases of malware successfully bypassing Google’s
ever-improving security measures. ESET’s researchers have found
and reported to Google hundreds of samples of Android malware,
including fake AV scareware, credential-phishing spyware, trojans used
for click-fraud, backdoors, ad-displaying PUAs (Potentially Unwanted
Applications), and other PUAs, etc.
Malware writers have also begun to vary the infection techniques, for
example by using a trojan downloader or dropper application as an
intermediate stage before the actual payload is launched.
Using technically more advanced techniques, such as exploit-driven
drive-by downloads, is not very common on Android.
MALWARE C&C COMMUNICATION
After a successful installation, most Android malware “reports home” to
a Command & Control (C&C) server.
In some cases, the reporting serves only to track the infection,
sending back basic device information such as the device model, IMEI
number, device language, and so on. Alternatively, if a permanent C&C
communication channel is established, the trojan can listen to and
execute commands sent by the malware operator(s). This creates a
botnet of infected Android devices under the attacker’s control.
4
 The Rise of Android Ransomware

Some examples of commands supported by Android ransomware, MALWARE SELF-PROTECTION

outside its primary scope of locking the device and displaying a ransom
Infecting a victim's device with Android malware is not a trivial task
message, include:
for attackers. Even for users without anti-malware solutions like ESET
• open an arbitrary URL in the phone’s browser Mobile Security, there are Google’s own defensive measures. Naturally,
once they succeed in overcoming these hurdles, they want to make sure
• send an SMS message to any or all contacts
that their malevolent code stays on the device for as long as possible.
• lock or unlock the device
We have seen Android malware using numerous self-defense
• steal received SMS messages
techniques. For example, Android/Lockerpin implements several,
• steal contacts including attempting to kill processes belonging to anti-malware
applications.
• display a different ransom message
• update to a new version But one of the most universal techniques that we’re starting to see in
more and more Android malware is obtaining Device Administrator
• enable or disable mobile data
privileges. Note that Device Administrator privileges are not the same
• enable or disable Wi-Fi as root access, which would be even more dangerous if acquired by
• track user’s GPS location malware.

The usual communication protocol used is HTTP. But in a few cases,

we’ve also seen malware communicating with its C&C via Google Cloud
Messaging. This service enables developers to send and receive data to
and from apps installed on the Android device. A similar protocol, also
used by Android malware, is Baidu Cloud Push. Some malware samples
we’ve analyzed have used Tor .onion domains, or the XMPP (Jabber)
protocol.

Alternatively, Android trojans can receive commands, as well as send

data using the built in SMS functionality.

Fig. 2: Examples of Android malware requesting Device Administrator privileges

5

Legitimate Device Administrator applications use these extended
permissions for various (mostly security-related) reasons. Malware,
on the other hand, uses this Android feature for its own protection
against uninstallation. Before such an app can be uninstalled, its Device
Administrator rights must first be revoked.
Some malware, such as Android/Lockerpin, additionally uses the extra
permissions only available to Device Administrator applications to set or
change the lock screen PIN.
ANDROID RANSOMWARE CHRONOLOGY
The first appearances of ransomware on Android were cases in which
extortion functionality was added to fake (rogue) antiviruses.
Fake AVs are a malware type that has been around for a long time – on
Android since 2012 and on desktop platforms since at least 2004. As the
name implies, they display a fake antivirus scan of files on the device
The Rise of Android Ransomware
and then try to trick users into paying money to remove the threats
with which the files are supposedly infected. They’re also referred to as
“scareware”, because they extort payment from the victim after scaring
them into believing that their device is infected.
Rogue AVs are generally not considered ransomware – while they
also attempt to get money from the victim, they typically rely on
persuasion rather than extortion and the tricked users usually believe
they’re paying for a legitimate product. However, some fake AV authors
decided to make their software more aggressive by adding lock-screen
ransomware behavior.
Most lock-screen ransomware on Windows belongs to the so-called
police ransomware category, and the same trend can be observed
on Android. Police ransomware increases its chance of success (of a
payment by the victim) by using another scareware tactic – they try to
scare the afflicted users by displaying a message purportedly from a law
enforcement agency, such as the FBI, claiming that illegal activities has
been detected on their device.
File-encrypting crypto-ransomware was the only missing kid on the
“Android malware block” until the May 2014 appearance of a family that
ESET dubbed Simplocker.
Ransomware on Android has continued to evolve and new families have
been discovered over the past three years. The most noteworthy are
described in the following sections.
6
 The Rise of Android Ransomware

ANDROID DEFENDER At this stage, the user still has the option
of “continuing unprotected” and closing
Android Defender, which was first spotted in mid-2013, is a typical
the app. However, a background service
example of a fake antivirus and probably the first actual ransomware
belonging to the fake AV makes the
targeting Android.
phone practically unusable by displaying
never-ending malware warning popups
As is evident from Figure 4, the graphical user interface of the
each time the user tries to launch an
application tries to make it appear to the victims that they’re dealing
application. Clicking “Stay unprotected”
with a legitimate security application. Interestingly, during the fake
dismisses the currently displayed popup,
scan, the trojan displays names of files that actually exist on the phone’s
only to see another one pop up, and so
memory card, which makes it even more believable. The malware
on…
names shown are real too, except the phone isn’t actually infected with
them.

Fig. 5: Incessant Android Defender popups make the

infected device practically unusable

In the event that this behavior has not

persuaded the victims to believe that
they are truly infected and to pay for the
“full version” of the scam software, it will
switch to an even more aggressive mode
six hours after its initial launch. Android
Defender displays a full-screen window
Fig. 4: Fake AV called Android Defender with a convincing GUI
with hardcore pornographic images that
can’t be closed.

Figure 6: Android Defender locks the screen displaying

pornographic images

7
 The Rise of Android Ransomware

In the event that the infected user gives RANSOMWARE MEETS FAKE AV, MEETS…PORN
up and decides to pay, the fraud will set
The second fake AV ransomware example doesn’t go under a made-
him or her back by at least 89.99 USD.
up name like Android Defender, but instead parasitizes the name of
What’s even worse is that the user’s
a legitimate Android security application from Avast 1. Fake copies of
credit card details are now in the hands
legitimate antivirus programs used to be the domain of rogue AVs on
of the malware operators (or anyone
Windows. Curiously, the malware, detected by ESET as Android/FakeAV.E
sniffing on the network, as the data
also abuses another well-known brand: it spreads by pretending to be a
are sent unencrypted) and available for
mobile app for the adult video website PornHub.
further misuse.

Figure 7: Android Defender purchase options

ESET Mobile Security detects Android Defender as Android/FakeAV.B.

Figure 8 – 1st disguise of Android/FakeAV.E: fake PornHub app

When the app is launched, instead of showing pornographic videos, it

shows the user a message that says the device must first be “checked
for viruses”. After clicking OK, the fake AV, which is made to look like
1 The fake AV is in no way whatsoever affiliated with Avast Software.
Avast, runs its scam scan.

8
 The Rise of Android Ransomware

The narrative in this fraud is rather odd. First, the message shown
by the fake Avast GUI states that the “device is in danger and is now
blocked for security reasons” and that a Pro version must be bought.
While a legitimate antivirus would obviously not render a device
unusable, that text is more-or-less corresponds to rogue AV behavior.
However, the ransom nag screen that’s displayed as the devices is
locked talks about an obligation to pay a 100 USD fine to avoid legal
consequences.

Figure 10 - Android/FakeAV.E ransom screens

It appears as if the authors of this malware took the ransom message

screens from a different ransomware program, even incorporating the
same typographic errors.

Figure 9 - 2nd disguise of Android/FakeAV.E: fake Avast app

9
 The Rise of Android Ransomware

POLICE RANSOMWARE
Lockscreen ransomware on Windows has used various themes in the
past. Some earlier examples included lockscreens that appeared as a
blue-screen-of-death (BSOD), or a Windows activation message. While
we still occasionally spot various new lockscreen themes, the one that
recurs most commonly in recent years is police ransomware. Reveton is
one of the best-known families of this type.

Police ransomware claims that the device has been locked by a local
law enforcement agency because illegal content or activity has been
detected. The ransom messages sometime quote some Criminal
Code article but say that the user can get away with just a fee. Police
ransomware often uses IP-based geolocation in order to “customize”
the infection for the user with banners of local law enforcement
agencies.

The first samples of police ransomware

on Android appeared in the first half of
2014 and were targeted against Russian
speaking Android users.

Shortly after, location-aware variants

appeared, as did variants in the English
language.

Figure 11 - First police ransomware variants were Figure 12 - Android/Locker variants capable of displaying a camera shot and adjusting the ransom
targetting Russian-speaking Android users. screen based on the user’s location – example shows Russian, Ukrainian, and Kazakh banners

10
 The Rise of Android Ransomware

ESET detects the police ransomware examples above as variants of

Android/Koler or Android/Locker.

SIMPLOCKER
In May 2014, ESET detected the first file-encrypting ransomware for
Android – an expected evolution, as this kind of malware has been
extremely widespread on the Windows platform in the recent years,
Cryptolocker, Cryptowall, CTB-Locker, and TorrentLocker being just a
few of many infamous examples.

After launch, the trojan displayed a ransom message as shown in Figure

14 and encrypted files in a separate program thread in the background.
Android/Simplocker.A scanned the SD card2 for files with any of the
following image, document or video extensions – JPEG, JPG, PNG, BMP,
GIF, PDF, DOC, DOCX, TXT, AVI, MKV, 3GP, MP4 – and encrypted them
using the AES cipher. The encryption key used was hardcoded inside the
binary as plain text, so it was trivial to decode them, unlike the more
established Windows crypto-ransomware families. For this reason, we
dubbed the malware Android/Simplocker and believed that these first
variants were either just a proof-of-concept or an early development
version of a more serious threat.

Figure 13 Android/Koler variants shift to targeting English-speaking users

2 The threat also affected devices without a physical SD card. On such devices, the
internal memory appears as an emulated SD card.

11

Figure 14 – Ransom requests from initial Russian versions of Android/Simplocker
The ransom message was written in
Russian and the payment demanded
was in Ukrainian Hryvnias, so it’s fair to
assume that the threat was targeted
against Android users in Ukraine. The
malware instructs the victim to make the
payment using prepaid money vouchers,
such as MoneXy or QIWI, because these
are not as easily traceable as if the
payments were made with regular credit
cards.
Some Simplocker variants also display
a photo of the victim taken with
the phone’s camera to increase the
scareware factor.
Figure 15 – Simplocker using the front camera feed to intimidate the victim
The Rise of Android Ransomware
Simplocker distribution vectors
Android/Simplocker usually tries to trick the user into installing it by
camouflaging itself as a legitimate and popular application – a common
technique for Android malware. Typically, the camouflage revolves
around internet porn (some malicious apps pretend to be an adult video,
an app for viewing adult videos, etc.), popular games like Grand Theft
Auto: San Andreas, or common applications like Flash Player.
However, Android/Simplocker has also been using a less common
spreading mechanism – through trojan-downloaders. Trojan-
downloaders are common in the world of Windows malware but not
that common on Android. They’re small programs whose sole purpose
(and also the only reason why they’re malicious) is to download other
malware.
The reason why the trojan-downloader strategy has a greater chance
of slipping under the radar of Android market application scanning (such
as Bouncer on the official Google Play, for example) or even escaping
the notice of a more careful Android user is that:
• All the application does is open a URL outside the app – this does
not, in itself, qualify as malicious behavior
• The downloader has practically no “potentially harmful” application
permissions – so even a user who scrutinizes app permissions
during installation may allow this one
Furthermore, in the examples we’ve analyzed, the URL contained within
the app didn’t point to the malicious Simplocker APK package directly.
Instead, the trojan was served after a redirect from the server under the
attacker’s control.
12
 The Rise of Android Ransomware

We have not seen Android/Simplocker spreading through the official The latest variants have slightly changed the ransom request visuals.
Google Play store. Instead of the FBI, it is the NSA that’s accusing the victim of “attending
forbidden pornographic sites” (sic) and asking for a 500 USD payment.
Simplocker in English
Only one month after discovering the first Simplocker variants, we
began detecting new versions of this ransomware that featured a few
significant improvements.

The most noticeable change was the language: Android/Simplocker.I now

displayed ransom screens in English instead of Russian. The victim was
led to believe that the device was blocked by the FBI after detecting
illegal activity – software piracy, child pornography, and so on – typical
behavior of police ransomware. The ransom demanded was now in
the range of 200 USD to 500 USD and the victim was instructed to
pay it using a MoneyPak voucher. Like some of the previous Android/
Simplocker variants, this one also used the scareware tactic of
displaying the camera feed from the device.

Figure 17 – Latest Android/Simplocker NSA ransom messages

In addition to encrypting documents, images and videos on the device’s

SD card, the trojan now also encrypts archive files: ZIP, 7z and RAR.
This “upgrade” can have very unpleasant consequences. Many Android
file backup solutions store the backups as archive files. If the user gets
infected with Android/Simplocker.I, these backups will be encrypted as
well.

More advanced Simplocker variants also ask to be installed as Device

Administrator, which makes them a lot more difficult to remove, since
the user must first revoke the applications’ Device Administrator rights
before uninstalling them. And that’s rather difficult to do when the
ransomware is locking your screen.
Figure 16 – Android/Simplocker ransom messages in English

13
 The Rise of Android Ransomware

Another noteworthy change was that the malware started to use the
XMPP (Extensible Messaging and Presence Protocol) protocol (Jabber)
for communication with its C&C server. Using XMPP makes it more
difficult to trace the C&C servers than if HTTP were used. Android/
Simplocker uses this instant messaging communication protocol to
send information about the infected device to the server and to execute
commands received. A third type of C&C server addressing used by
some Android/Simplocker variants is the use of Tor .onion domains.
The technique that Lockerpin uses for locking the device is extremely
simple – it leverages the built-in Android PIN screen locking
mechanism. It is able to set a PIN on the device, or even change it if it
was already set. It is able to do so, provided that the victim has granted
the malicious app Device Administrator privileges.

The most important step in Simplocker’s evolution was in the

encryption keys used by the malware to encrypt the victim’s files. A few
months after the initial versions, we spotted Simplocker variants that
used unique cipher keys generated and sent from the C&C server. This
marked the end of the trojan’s proof-of-concept stage and it was no
longer possible to decrypt the hijacked files easily.

LOCKERPIN
In previous Android lockscreen trojans, the screen-locking functionality
was usually achieved by constantly bringing the ransom window to the
foreground in an infinite loop. While various self-defense mechanisms
were implemented to keep the device user locked out, it wasn’t too
difficult to get rid of the malware, and thus to unlock the device, by
using Android Debug Bridge (ADB) or deactivating Device Administrator
rights and uninstalling the malicious application in Safe Mode. Figure 18 - Android/Lockerpin geographic distribution

Unfortunately, with Android/Lockerpin, which we discovered in August
2015, malware writers have stepped up their game. If a user becomes
infected with this Android ransom-locker, the only way to remove the
PIN lock screen is if the device was previously rooted or has an MDM
solution installed that is capable of resetting the PIN. Otherwise, the
last option is a factory reset, which deletes all data on the device.
According to ESET’s LiveGrid® statistics, most of the infected Android
devices are in the USA, with a percentage share of 72%. This is part of
a trend whereby Android malware writers are shifting from targeting
mostly Russian and Ukrainian users to targeting victims in the United
States, where arguably they can make bigger profits.

14
 The Rise of Android Ransomware

The malware has been spreading disguised as an app for viewing adult After installation, the typical police
videos. ransomware scenario ensues. The user
is shown a bogus message from the
Earlier versions of the Android/Locker family obtain Device FBI requesting a 500 USD ransom for
Administrator status in just the same way as all other Android trojans, allegedly viewing and harboring forbidden
which use them mostly as protection against uninstallation – they rely pornographic material.
on the user willingly activating the elevated privileges.

In the latest versions, however, the trojan obtains Device Administrator

rights using a much more covert tap-jacking technique. The system
Device Admin activation window is overlaid with the trojan’s malicious
window which pretends to be an “Update patch installation”. The gist
of the technique is that the fake Continue button is placed perfectly
over the underlying Activate button. So when the victims click through
this innocuous-looking installation they have inadvertently granted the
malware Device Administrator privileges.
Figure 20 - Android/Lockerpin ransom message

After a specified time delay following the

display of the ransom message, the PIN
will be set (or changed) to a four digit
number that’s generated randomly and
not sent to the attacker. Some variants
of Lockerpin have the functionality to
remove the PIN lock by resetting it to a
zero value.

Figure 19 – Android/Lockerpin covertly obtaining Device Administrator rights by tap-jacking

Figure 21 – Device locked by Android/Lockerpin

15

Lockerpin’s aggressive self–defense
Not only does Android/Lockerpin acquire Device Admin privileges in
a novel and covert manner; it also uses an aggressive self-defense
mechanism to make sure it keeps them. When users attempt to
deactivate Device Admin for the malware, they will fail because the
trojan has already registered a call-back function to reactivate the
privileges immediately after removal is attempted.
Similar to when Device Administrator is
first activated by the trojan, if a removal
attempt is made, the Device Administrator
window is again overlaid with a bogus
window as shown in Figure 22. Pressing
Continue effectively reactivates the
elevated privileges.
Figure 22 – Android/Lockerpin blocking attempts to revoke
Device Administrator rights
As an extra layer of self-protection, the ransomware also attempts to
kill running AV processes when the user tries to deactivate its Device
Admin rights. The trojan tries to protect itself from three mobile anti-
virus applications: ESET Mobile Security and Android solutions by Avast
and Dr.Web.
The Rise of Android Ransomware
Figure 23 Android/Lockerpin attempting to kill running AV processes
The malware will not succeed in killing or removing ESET Mobile
Security. Lockerpin attempts to kill the com.android.settings process
in order to prevent standard uninstallation of the malware through
Android’s built in application manager.
JISUT
The ransomware that ESET security solutions flag as Android/LockScreen.
Jisut is a strange family. Unlike the rest of the examples described in this
paper, the purpose of which is purely financial gain, Jisut appears to also
have been created as a prank.
The malware is most widespread in China and is most probably the
work of newbie Chinese teenage cybercriminals.
Most ransomware – lockscreens as well as crypto-ransomware -
demands a payment through pre-paid cash vouchers like MoneyPak
or MoneXy, or by Bitcoin, precisely for the reason that these payment
methods are virtually untraceable. However, the gang behind Jisut
took a whole different approach and doesn’t seem to care about its
anonymity. The ransomware nag screens include contact information
on the Chinese social network QQ and urge the victims to contact the
authors in order to get their files back. If the information in the QQ
profiles is valid, the malware operators are Chinese youths between 16
and 21 years old.
16
 The Rise of Android Ransomware

The first variants of Android/LockScreen.Jisut started appearing in the
first half of 2014. Since then, we have detected hundreds of variants that
all behave somewhat differently or display different ransom messages,
but are all based on the same code template. The whole Jisut malware
family is unlike any other known LockScreen ransomware.
Another Jisut variant asks the user to click a button that says "I am an
idiot" 1000 times. Nothing happens after the counter reaches 1000; it’s
reset to zero and the frustrated user can continue clicking indefinitely.

One type of Jisut behavior is to create a full screen Activity (Android

developer term for “window”) overlaying all other Activities. The full
screen overlay is just a black background so the device appears as if it
was locked or switched off. If the user brings up the menu to shut down
or restart the device, a joke message will be displayed. Some samples
feature a variation to the previous activity: they play music from the
famous shower scene from Alfred Hitchcock’s Psycho, while vibrating
the device in an infinite loop.

Figure 25 – Android/LockScreen.Jisut: “Please click the button below 1000 times”

In addition to the described silly behavior, most Android/LockScreen.

Jisut variants also contain harmful functionality. Like Android/Lockerpin,
they’re able to set or change the device lock screen PIN or password.
Some variants don’t rely on the legitimate built-in Android lock screen
functionality but display their own full-screen window mimicking the
lock screen, as the police ransomware Android/Locker and Android/
Koler families do.

Figure 24 – Jisut prank messages: Left: “Off, you are dead!” Right: “I hope you have fun!
Producer Shen Shen”

17
 The Rise of Android Ransomware

In addition to the ransomware aspect, some variants can spread by

sending an SMS message with a URL link to the malware to all user
contacts.

HOW TO KEEP YOUR ANDROID PROTECTED

For users of Android devices it’s important to be aware of ransomware
threats and to take preventive measures. Among the most important
active measures to take are avoiding unofficial app stores and having
a mobile security app installed and kept up to date. Additionally, it is
important to have a functional backup of all of important data from the
device.

Chances are that users who take appropriate measures against

ransomware will never face any request for ransom. And even if they fall
Figure 26 – Device locked with PIN or password by Android/LockScreen.Jisut
victim and – worst case scenario - see their data encrypted, having a
backup turns such an experience into nothing more than a nuisance.

If users do manage to get infected by ransomware, they have several

options for its removal, depending on the specific malware variant.

For most simple lock-screen ransomware families, booting the device

into Safe Mode – so third-party applications (including the malware)
will not load – will do the trick and the user can easily uninstall the
malicious application. The steps for booting into Safe Mode can vary
on different device models. (Consult your manual, or ask Google – the
search engine.) In the event that the application has been granted
Device Administrator privileges, these must first be revoked from the
settings menu before the app can be uninstalled.

If ransomware with Device Administrator rights has locked the device

using Android’s built-in PIN or password screen lock functionality, the
situation gets more complicated. It should be possible to reset the lock
Figure 27 - More vivid custom lock screens with the malware author’s QQ number
using Google’s Android Device Manager or an alternate MDM solution.

18
 The Rise of Android Ransomware

Rooted Android phones have even more options. A factory reset, which stopping attackers (the same ones or others) from coming back for
will delete all data on the device, can be used as the last resort in case more.
no MDM solutions are available.
Taking the wider view of the whole ransomware economy, giving in to
If files on the device have been encrypted by crypto-ransomware the attackers’ demands only fuels the problem.
such as Android/Simplocker, we advise users to contact their security
provider’s technical support. Depending on the specific ransomware As mentioned above, prevention by adhering to basic security principles,
variant, decrypting the files may or may not be possible. using updated security software on Android, and backing up your data
(not only on the device itself) is a much more sensible option. And with
We advise affected users against paying the requested ransom, for all of those precautions being readily available and easy to use, there
several reasons. While it is true that some established Windows crypto- really is no reason not to do so.
ransomware gangs have reached the level of professionalism where
users will usually get their files decrypted, that is not always the case.
File-encrypting crypto-ransomware is extremely popular among
malware writers and there are many different families of Windows
Filecoders (the ESET detection name for the category). Many of them
have jumped on to the ransomware bandwagon, hoping to copy the
success of Cryptolocker and the like, but our technical analyses of all
those families has shown that many of them are implemented poorly.
For users, this means two things: Firstly, that even if they do pay up,
their files may not get decrypted. Secondly, that it may be possible to
decrypt their files without paying.

As far as ransomware on Android is concerned, we have seen several

variants where the code for decrypting files or uninstalling the lock-
screen was missing altogether, so paying would not have solved
anything.

At the level of a single user or a business being a victim of crypto-

ransomware and facing a loss of data, it boils down to a question of
trust. Can the cybercriminals be trusted to keep their end of the bargain
and decrypt the files after the ransom has been paid? Obviously, there
are no guarantees. And even if the files are decrypted, there’s nothing

19