Ransomware has emerged over the last two years as the most problematic form of malware – or malicious software – to target owners of internet capable devices.
Cryptolocker ransomware can infect your computers and encrypt data stored on your machine or any networked storage backups.
Owners of Android smartphones and tablets are now also being targeted with viruses through social media links or websites that encourage you to install a ‘video player’ app to watch content.
The ‘Koler’ and ‘Locker’ strains of police themed ransomware have been known for some time and NetSafe has taken a number of reports in 2015 of device lockscreens that state New Zealand’s Security Intelligence Service or SIS has caught you viewing child pornography or downloading or watching illegally shared movies.
This latest variant now comes with an NZ Police and GCSB logo and suggests ‘NZSIS Case #5827A7292-A5762’ has been opened:
Android ransomware scam
> The message shown (example above) on the screen is part of the scam and is designed to trick, embarrass or scare you into paying a $200 fine. Don’t pay!
The device will be taken over by a virus style infection and the screen will show a warning that encourages you to pay a $200 fine via the Ukash or Paysafe voucher network. Whilst these vouchers are legitimately sold in New Zealand, the company is not connected with the scam and has published a warning on its website encouraging people not to pay the ransom.
The warning message may also state that the NZSIS will contact ‘witnesses’ and can display 3 recent contacts on the screen with their names and numbers to pressurise you into paying the fine.
How Android ransomware works
Some websites offering filesharing or video viewing services – including adult content sites – may prompt you into installing a video player. Other victims have clicked through to news stories from Facebook newsfeed links shared by friends.
The malware does not encrypt the contents of the Android devices but prevents the home button and back button functions from working.
Turning the phone off and on again does not clear the phone and allow the owner to continue using it.
How to deal with Android ransomware:
- Do not pay the ransom, report what has happened to NetSafe
You can contact NetSafe via the freephone telephone number 0508 NETSAFE during office hours or report online 24/7 at www.theorb.org.nz.
- Turn you Android phone off and then switch it on again into ‘Safe Mode’
There are instructions on this website about cleaning up common Samsung and HTC models, you may also need to Google the model of your device and the term ‘safe mode’ to find a manual or guide online.Common ways to boot into Safe Mode include holding the power button and volume button up or down during the power on process depending on the age of your device.
- Once in Safe Mode, find the rogue application installed on the device and remove it
The Police or NZSIS virus for Android may install itself under the name ‘BaDoink’. Malwaretips.com has screenshots showing how too use Application Manager under Settings to remove the app.
If you cannot remove the app then you may need to consult a local technician who specialises in smartphones, try to use anti-virus software to clean the phone or lastly, reset the device to factory settings which will also remove the data and contacts stored on the phone.
Please send screenshots of the ransomware to email@example.com and let us know if you successfully recover use of your Android device.
More Advice and Information:
NetSafe provides a guide on smartphone security that includes 12 tips for protecting your devices. The most important ways to prevent Android ransomware are:
- Consider installing anti-virus software on your Android
- Keep your operating system up to date
- Be cautious about what apps you install
- Don’t click on links or open attachments you weren’t expecting
- Backup your device and the data stored on it
You can find independent reviews of Android anti-virus software on the AV Test website.
If you visit adult websites on your mobile device, be very cautious about downloading and installing any form of video player or ‘Adobe Flash’ update that can often be malicious and may infect the phone or tablet. Downloads often arrive as .apk files and can lock the device if installed.
Android owners should avoid installing apps from unknown or unofficial sources or changing their device settings to automate the installation.
- MalwareBytes: Difficulty removing Koler Trojan or other ransomware on Android? (includes screenshots on Safe Mode)
- Locker: an Android ransomware full of surprises (includes technical removal advice for experienced end-users)
- MalwareTips: Remove Police or FBI virus from Android phone (Removal Guide, May 2014)
- Panda Security: Police Virus for Android – July 2015
- Ukash / Paysafe alert on ransomware payments
- Kaspersky guide: Koler – The ‘Police’ ransomware for Android (PDF) – July 2014