Written by Caroline Corrigan
Published on February 21, 2018

What is ransomware and how does it work?

Ransomware is a particularly nefarious type of malware, or malicious software, that comes in several different forms. The two most common variations are:

  • Crypto ransomware — takes over your device and encrypts your files to prevent you from accessing them. This kind of ransomware is most common on computers.

  • Locker ransomware — denies you access to your device (often by locking the user interface or using a popup overlay) instead of encrypting your files. This kind of ransomware is the most common on Android phones and other mobile devices.

    This article contains :

    The Hans Gruber of the digital world, ransomware is able to hold your files hostage, with a hacker demanding that you pay a ransom (usually in Bitcoin and within a certain time limit) to have them released. Last year, the average ransom demand skyrocketed to over $1,000. If you don’t pay, you risk losing your files forever — though there is no guarantee you will recover your files even if you do.


    It’s also important to note that ransomware is NOT a virus — it’s malware. While they both share the mutual goal of infecting and destroying your digital life, viruses are able to replicate in order to wreak havoc on your system.

    Can Android devices get ransomware?

    Unfortunately, your computer isn’t the only device that could end up at the mercy of a ransomware hacker. Android phones have become a popular and lucrative target for hackers as mobile device use continues to grow, and as we continue to store our most important personal information on our phones. In 2016, Android ransomware “Lockscreen” entered AV-TEST’s Malware Top 10 for the first time. The following year, Android ransomware detections tripled.

    How does ransomware get on my phone?

    Mobile ransomware sneaks onto your phone using social engineering tactics that trick you into downloading malicious content, such as fake apps from third party app stores, infected system or software updates, or even by clicking on a spam link sent by SMS.

    For example, in 2014 Android phones were first introduced to “police virus” ransomware. After installing a fake app named “DaBoink”, infected devices would suddenly display a cyber police warning informing users that they had committed a crime by viewing illegal content, and that they must pay to unlock their devices.

    That same year, an another police-themed ransomware began spreading through text messages. The message claimed that fake online profiles had been created with the targeted victims’ photos. After the victim clicked on the link to the profile, they would be prompted to download a ‘PhotoViewer’ app, which would subsequently block the victim’s screen with a fake FBI warning and a demand for payment.

    Types of Android ransomware

    Let’s take a quick look at a few of the top Android ransomware names that have appeared in the game recently.


    Inspired by the notorious WannaCry ransomware attack that was all over the news last year, copycat ransomware WannaLocker went after Android devices in a similar fashion in June 2017. Developed by Chinese hackers, WannaLocker targeted Chinese Android users via popular gaming forums, disguising itself as a plugin for the game “King of Glory”. But unlike the $300-$600 ransom WannaCry demanded, WannaLocker extorted users for only 40 Chinese Renminbi (about 5-6 USD).


    Another Android attacker, the aptly named DoubleLocker ransomware was a double whammy for Android users because of its ability to both encrypt a user’s data and change the device’s security PIN code. Early versions of the ransomware are thought to have emerged in May 2017. Also spread as a fake Adobe Flash update via compromised websites, DoubleLocker is the first ransomware to misuse Android accessibility, a tactic Android banking Trojans use to steal banking credentials. This means that future versions of DoubleLocker might be able to steal money directly from your bank account, in addition to extorting money from you through ransom payments.


    Initially appearing in 2014, Koler Android ransomware resurfaced last year disguised as a malicious PornHub app. After installation, Koler targeted Android users by covering their screens with a fake “police” message demanding a fine for viewing adult content. Despite previous versions of the Koler ransomware having geo-targeting capabilities, this version only targeted Android users in the United States.


    Last summer, LeakerLocker made waves in the news as a sort of Android internet browser ransomware. Instead of encrypting victims’ files, LeakerLocker threatens to share your personal data (photos, messages, web history, emails, location history, etc.) with all of your phone and email contacts. This means your boss could suddenly be staring at those “sensitive” photos you sent to your significant other. Hiding on the Google Play Store as a fake app, LeakerLocker demands a ransom of $50.

    What do I do if my Android device gets infected with ransomware?

    Mobile ransomware is on the rise, which is why knowing how to remove it means all hope won’t be lost if your device does get infected. One way to do this is to boot your device into Safe Mode. Because screen-blocking ransomware notifications come from rogue third party apps, you can get rid of them by uninstalling the perpetrating app.

    How to remove ransomware by booting into Safe Mode

    • Step 1: Hold your device’s power button

    How to remove ransomware by booting into Safe Mode - Step 1 and 2

    • Step 2: Press the “Power off” button that appears in the window to completely turn off your device

    • Step 3: Turn on your phone by pressing and holding the Power button and both the Volume Up and Volume Down buttons simultaneously

    How to remove ransomware by booting into Safe Mode - Step 3 and 4

    • Step 4: Check for the words “Safe Mode” at the bottom of your screen

    • Step 5: Go to Settings > Applications > Manage Applications and choose the application you wish to uninstall

    How to remove ransomware by booting into Safe Mode - Step 5

    Keep in mind that different Android devices may boot into Safe Mode in slightly different ways, and some simply give you the option to reboot into Safe Mode after holding down the Power Button. Also, while you’re in Settings, it’s a good idea to make sure you’ve disallowed non-official app installations. Go to Settings > Security and uncheck the “Unknown sources” box.

    Extra tip: if your computer gets infected with ransomware, you can always use AVG Free Ransomware Decryption Tools.

    What if booting to Safe Mode doesn’t work?

    If you are unable to get rid of the ransomware by booting into Safe Mode, you can try to reset your Android device to factory settings. Just keep in mind that a factory reset means all data will be erased from your device, so if you don’t have it backed up somewhere, you might want to consider this a last resort.

    How to protect your Android from ransomware

    1. Download apps from trustworthy sources

    2. Back up your Android device

    3. Keep your Android updated

    4. Don’t share personal information

    5. Don’t save your passwords

    With ransomware attacks growing at a yearly rate of 350% and financial damages from cybercrime expected to reach $6 trillion annually by 2021, cybersecurity is more important than ever. And with the ever-growing collection of sensitive information living on your phone, there’s no excuse for not learning how to protect your Android device.

    Prevention is your first (and best) line of defense. Smartphone security apps and antivirus software, such as AVG AntiVirus for Android 2019, can effectively block Android ransomware and other forms of malware by detecting threats before they are able to get on your device. AVG AntiVirus also allows you to scan websites, apps, games, and other files in real-time to make sure they’re safe. Another helpful feature, App Permissions, helps you understand what information or capabilities an app needs to access on your phone in order to work properly. If the permissions don’t make sense for the app, that's a red flag that the app might not be safe.malicious-looking app on a screen

    You are the weakest link

    Unfortunately, you are often your own worst enemy when it comes to your device getting infected. Ransomware and other forms of malware, like viruses, exploit human behavior and try to trick you into downloading malicious files, so always be on the lookout. Here are some things you should do to protect your Android device.

    1. Download apps from trustworthy sources

    Getting you to download a malicious app is one of the most effective ways hackers infect your device with ransomware. Stick to official stores like Google Play and make sure you know how to spot a fake app scam.

    2. Back up your Android device

    Back up your mobile data either on your computer hard drive, in the Cloud, or on a portable device such as a USB or external hard drive. This way the hacker has less leverage, and you can reset your device without losing your files. It’s also just a smart thing to do.

    3. Keep your Android updated

    Android software updates are super important because they fix security weaknesses that could potentially leave you vulnerable to threats like ransomware. However, it’s no secret that Android has a serious upgrade problem. With manufacturers often choosing not to continually support updates for older devices (in addition to delays implemented by cell phone carriers), waiting to get the latest update on your phone can quickly turn futile.

    While there are tenuous solutions to the upgrade problem in the works, your best bet to keep your phone safe is (unfortunately) to buy a new smartphone that is still supported by the manufacturer. But if this isn’t within your realm of possibility, then be very careful about the software you run on your device (see tip #1) and make sure you’re using a dependable antivirus software like AVG AntiVirus for Android.

    4. Don’t share personal information

    Think twice before sharing personal info via email or SMS, especially if you’ve received an unsolicited message asking for it. Your bank will never ask you for your account number over text, so if you receive a message like this, it’s probably a phishing attack.

    5. Don’t save your passwords

    Saving your passwords on your device is convenient. But in the long run, this can backfire in a huge way if your phone is ever hacked. Don’t make it easy for hackers by handing over your banking information on a silver platter. Should I pay the ransom?

    Ransomware is designed to make you feel powerless, but this doesn’t mean you should bend to the will of the hacker. The biggest risk of course is that, even if you do pay, there is no guarantee that you will regain access to your data. There is also the chance that the “ransomware” is actually a wiper in disguise, meaning that it wipes all data so that it is impossible to recover anything (as was the case with the Petya ransomware attack).

    The bottom line: don’t leave the safety of your important data in the hands of a hacker. Protect your Android with antivirus software and always stay alert.

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    Caroline Corrigan