Ransomware attacks Android phones

Tuesday, 27 October 2015 by Jennifer Duits


Ransomware is a type of malware that encrypts the user’s data and demands a fee, or ransom, for returning access to the data. It is very lucrative for criminals as many victims give in and pay to recover their data. It is no wonder that ransomware has started to target mobile devices as well. ESET has just warned of Lockerpin, the second virus to target Android handsets and the first one to block the user’s data with a PIN code.

Adult Player

Adult Player is the first virus to attack phones running Android. It’s advertised as  a porn video player (it can be downloaded on message boards and torrent sites, as it is not available via any official app store) and is particularly insidious. Before the phone is locked, the app does display the content it promised, but at the same time takes pictures of the user with the phone’s front‑facing camera. This makes the ransomware even more effective - apart from losing data, there is also a blackmail threat that compromising photos will be revealed. Fortunately, it is relatively easy to neutralise the virus without much damage to the user’s data. You just need to restart the phone in a safe mode, remove admin rights from the app and delete it from the phone.


Lockerpin, another adult video player, spreads in a similar way. I It is only available outside of Google Play, but its mechanism of action is much more dangerous, as it uses Android’s standard lock-screen feature. Once the app has been granted administrative privileges in the system, it sets or changes the current PIN code and blocks access to the phone.

If Lockerpin has locked your phone, there are two possible solutions. If you are a power user and rooted your Android before the virus infected it, you can remove the app without losing your data. Start Android Debug Bridge and delete all Lockerpin files from your system.

Rooting your Android

The root is the primary directory which contains all the files necessary for the phone’s operation. The root is saved in two partitions: SYSTEM and DATA. The first one contains all the system files, and the second one stores application files and settings. It is the DATA partition that gets formatted when you factory reset your phone. By default, every user of an Android phone has limited system privileges without the rights to write in the ROOT partitions – and rooting your system is about gaining such rights. A rooted Android grants the user all the administrative rights, including the right to remove malware files, directly from the phone’s root folder. The rooting procedure depends on the particular phone model; specific instructions can be found on the Internet.

CAUTION! Rooting will erase all data stored in your phone’s memory (which means it is pointless to root an already infected phone). It can also void the manufacturer’s warranty and, if done incorrectly, seriously damage your system.

If your Android was not rooted when the virus attacked, your only option is to perform a factory reset. This way, you will regain access to your phone, but you will lose the data stored in its internal memory. The procedure does not erase data from the external SD card or the SIM card. The good news is there have been no reports of the virus blocking access to the external memory or SIM card.

How can you protect yourself against the attacks?

  1. Avoid downloading applications from unknown sources. Get your apps from reliable sites such as Google Play or Amazon Appstore. But remember that even then you are not completely safe from attacks, so look closely at every app and find out if it is safe (by checking online reviews, for example).
  2. Make a backup. Most phones allow you to back up all your data to the external memory or online. You can also store your pictures in the cloud using a number of free and paid apps, such as Google Drive. You can back up the most important data, including your contact list, bookmarks, and calendars or even installed apps with your Google account. Read more about how to back up your data.

Should you pay the ransom?

With ransomware, you can never be sure if paying the ransom will actually allow you to retrieve your data. You must trust the honesty of the criminals, which is quite a leap of faith, so you risk losing both your files and money. Another reason not to pay is that your ransom can be used for funding further development of malicious software, so by paying, you might be directly helping criminals to carry out even more dangerous attacks in the future.

Read more about ransomware >>