Security News

How to protect your Android device from a ransomware attack

Charlotte Empey, 25 April 2018

Android-based ransomware attacks are on the rise, but don’t worry — this Avast Essential Guide explains what to look for and how to keep your Android devices safe.

Ransomware attacks have become one the top security threats facing individuals and corporations alike. Although most of these attacks are still aimed at PCs, another popular target has emerged: Android-based mobile devices. According to ransomware experts here at Avast, Android ransomware saw an increase in Q3’17 YoY of 72% and an even higher increase in Q4’17 YoY of 116%, as several high-profile attacks made the rounds.


How are Android ransomware attacks different from PC attacks, and how can you protect yourself? Let’s find out.

What is ransomware?
How does ransomware take hold of your Android device?
What to do if your Android device falls victim to a ransomware attack?
How to protect your Android device from ransomware
Be smart. Be protected.
Examples of major Android ransomware attacks in 2017

What is ransomware?

Ransomware is a specific type of malware (or malicious software) designed to take your device hostage and force you to pay a ransom. Ransomware usually takes one of two forms: crypto ransomware locks the files on your device so that you can’t open them, while locker ransomware locks up the device itself so that you can’t even get into it. In both cases, the cybercriminal demands that you pay a ransom (usually in cryptocurrency such as Bitcoin) by a certain deadline to unlock the files or device. You can learn more about ransomware by checking out our Essential Guide to Ransomware.  Bottom line: ransomware has been growing and causing data loss to users and businesses alike resulting in more and more ransom being paid.  And, now, it is targeting and exploiting Android phones.

How does ransomware take hold of your Android device?

While many PC-based ransomware attacks exploit known vulnerabilities in the operating system to sneak onto the computer, Android ransomware relies mostly on good old-fashioned user error. Cybercriminals use phishing scams and other social engineering tactics to trick you into loading the malware onto your device.

Ransomware is often disguised as an app. You think the app is safe, so you download it and give it the necessary permissions on your device, and suddenly you find yourself locked out. Ransomware can also come at you through phishing links sent via email, text, or messenger app, or through fake requests to perform system/software updates or add plugins.    


What to do if your Android device falls victim to a ransomware attack?

All of a sudden, you find yourself staring at a locked screen with no ability to use your phone or access any of its contents. Your first impulse may be to pay the ransom and make the problem go away. Don’t do it! For one thing, there’s no guarantee that paying the ransom will actually make the problem go away. You’re relying on the integrity of criminals, after all. Also, if they see that you’re willing to pay, then you’re putting an even bigger target on your back for future attacks. As long as ransomware attacks continue to work, cybercriminals will continue to use them.

There are two ways to deal with a traditional ransomware attack in which you’re locked out of your Android device. First, you should try to reboot the device in Safe Mode, revoke Device Administrator privileges (if you granted them to the app)  and then delete the app, program, or plug-in caused the problem.

Here are the steps to boot into Safe Mode*:

1: Press and hold the smartphone’s power button.

2: A “power off” button will appear on the screen that lets you turn off the device.

3: Turn your device back on by pressing and holding the power button while simultaneously pressing both the volume up and volume down buttons.

4: When the device powers on, look for the words Safe Mode at the bottom of the screen.

5: Go to Settings > Applications > Manage Applications, then find and uninstall the corrupt application.

* The process to boot into Safe Mode may vary slightly between different Android devices. Check your user manual.

If you can’t boot into Safe Mode or it doesn’t solve the problem, then your only course of action is to reset your device to its factory settings. This will fix the problem, but it will also erase all the data and settings stored on the device. If you backup your device on a regular basis, either to a computer or the cloud, then you’ll have no problem recovering most, if not all, of your data. So, now is as good a time as any to stress how important it is to perform regular system backups.

How to protect your Android device from ransomware

As the saying goes, the best offense is a good defense. Instead of trying to fix a ransomware attack, let’s talk about how you can prevent it from happening in the first place.

1. Protect your Android device with antivirus software.

Antivirus software isn’t just for the computer anymore. A good antivirus software like Avast Mobile Security can detect and protect your Android phone or tablet from ransomware and all other types of malware by scanning the websites, apps, games, and everything else you access to make sure they’re safe. If you accidentally click on a suspicious link, download a fake app, or try to install a phony plug-in, Avast Mobile Security can quarantine the ransomware and prevent it from attacking your device.

2. Activate the “Shield” features in Avast Mobile Security.

You can initiate two useful shield settings in the Avast Mobile Security app. There is Web Shield with Accessibility, which alerts you if you unwittingly visit a known phishing or malware distribution site, and SMS Shield, which alerts you if you receive a malicious URL by text message. Both of these can be activated through the following steps:

  1. Open the app
  2. Tap the 3 lines icon in the upper-left corner
  3. Scroll down and open Settings, followed by Protection
  4. Switch on Web Shield with Accessibility and SMS Shield
  5. Follow further instructions that appear on the screen

3. Perform all updates to the Android OS.

Make sure to perform any and all updates that are issued for the Android OS, since many of them are security-related. Of course, updates are often notoriously slow in coming to Android devices, so you can’t rely on this process alone to protect you.

4. Backup all important files from your Android device.

There are many options, and you might want to schedule at least two types of backups on a regular basis. You can backup to the cloud, store your data on an external hard drive, or use a service like Dropbox.

5. Don't download apps from unknown sources.

When it comes to loading up your Android device with the latest and greatest apps, stick with trusted sources like the Google Play Store and avoid third-party app stores. Google has a lot of protections in place to battle malware, but a really clever criminal can still get around them (which is why you need the antivirus software) -- like the recent discovery of BankBot-carrying apps.

To add an extra layer of security, you can go into your device’s Settings menu and turn off the ability to perform unofficial app installations. In the Security area, just uncheck the box labeled “Unknown sources.”

Also, if an app asks for device administrator permission, that can be a big red flag. This gives the owner of the app permission to remotely access your device, which in most cases is a very bad idea.

6. Be wary of any pop-up installation requests.

Pop-ups are seldom your friend. Any time you’re browsing a website or playing an online game and you get a pop-up request to perform an update or install a plug-in, the best plan of action is no action. Just send that pop-up away. If a website tells you that you need an Adobe Flash update, then go to Adobe’s website and get the latest update directly from the source. The same is true of any other software-update request.

7. Think twice before clicking on those links.

Phishing scams are still the most popular way to distribute malware and a growing number of phishing scams are targeting mobile devices and social media/messenger apps. Don’t click on any links you receive via text or email from an unknown source; and, even if you think you know the source, take a closer look at both the sender’s address and the link source before proceeding. If anything looks phishy, steer clear.

Be smart. Be protected.

The rise of Android-based ransomware is definitely a threat to take seriously, but isn’t it good to know that you have the tools to prevent this threat from ever becoming a reality in your favorite mobile devices? All it takes is a little common sense and a good antivirus software.


Examples of major Android ransomware attacks in 2017

The best way to illustrate how Android ransomware works is to describe it in action, so let’s look at some of the attacks we saw in 2017.

DoubleLocker: One of most high-profile Android attacks in 2017 was dubbed DoubleLocker because it actually locks up your device in two ways: it encrypts your files, and it changes your security pin so that you can’t get in via the home screen. DoubleLocker was first detected in May 2017, disguised as an Adobe Flash update through compromised websites. DoubleLocker is the first known ransomware to exploit the Android accessibility services, which are designed to help people with disabilities by granting websites a higher degree of permissions. This tactic has been used previously in Trojan-style malware attacks to steal users’ banking credentials.


WannaLocker: This Android-based ransomware is a copycat of the WannaCry ransomware that hit the PC world hard in June 2017. Targeting Chinese Android users, WannaLocker spread through Chinese game forums by posing as a plugin for the game King of Glory. Once installed, it begins encrypting files on your device’s external storage and then puts up this ransom message:


Charger: The Charger ransomware hid inside an app called “EnergyRescue,” which was available from the Google Play Store. Once downloaded onto the device, the malware accessed contacts and text messages. After that, it locked the device and demanded a ransom of .2 Bitcoin (about $180) from the victim.

SLocker: SLocker has the dubious dishonor of being among the first ransomware programs developed to attack Android devices back in 2015. The bad news is that the malicious program seems to be having a comeback. Decompiled source code for SLocker was published on GitHub in 2017, available to any ne’er-do-wells who wanted to use it, and soon new versions of the ransomware began turning up on devices everywhere.

Koler: Also making the rounds in 2017, Koler used a fake adult-themed app to infect Android devices in the United States. People who visited an adult website were prompted to download an app to view content. Of course, the app was fake. Once installed, it allowed ransomware to take over the device. A police-themed scare-tactic message pops up on the device screen, instructing the user to pay a fine for viewing pornographic content:


LeakerLocker: This Android ransomware is a bit different from the others, in that it does not lock up the device. Instead, LeakerLocker threatens to send your personal photos, texts, and other private info to everyone in your email and phone contact list unless you pay the ransom. This year, LeakerLocker was found in at least two apps in the Google Play Store; at first the newly installed apps seem to do what they claim to do; but, all the while, they are gathering your private information and uploading it to a cloud server. You then get the ransom note, demanding money in exchange for deleting your content from the server.

Those are just a few examples of Android-based attacks. According to a report on, which tracks activity on the dark web, Android-centric ransomware kits are becoming a hot commodity for purchase by cybercriminals. The easier it is for bad guys to access ransomware kits, the more attacks we’re likely to see.