The Android Ransomware is a low-quality file-encryption Trojan which, thankfully, uses a flawed encryption algorithm that may lock the user’s files temporarily, but the encryption can be reversed to restore them to their original condition. Naturally, the authors of the AnDROid Ransomware aims to encrypt the files of its victims so that they’ll be able to extort them for money by promising to provide them with a decryptor when they pay the ransom fee. Apart from the encryption routine, the AnDROid Ransomware also uses a screen locking feature that prevents the users from accessing their desktops by displaying an irremovable window that contains an image of a skull, as well as a short ransom message crafted by the AnDROid Ransomware’s author.
‘Hy, sorry your files has been encrypted.
But, not all your file encrypted
Klick “Contact Me” and i will give your key.
At the bottom of the lock, screen victims will find a field that prompts them to enter an unlock key and press the ‘Decrypt’ button. The good news is that the code used to remove the lock screen is hard-coded in the AnDROid Ransomware, and it has been exfiltrated by cyber security experts already. If you believe that the access to your computer was disabled by the AnDROid Ransomware, then you should enter the unlock code 62698b8ff9e416d9a7ac0fb3bd548b96 to remove the alarming message. The hard-coded unlock code, the insecure encryption routine and the fact that the author prefers to contact victims via Facebook shows that the AnDROid Ransomware is the product of a cyber crook who, apparently, is not very good at crafting malware.
The encryption technique that the AnDROid Ransomware uses is unknown yet, but the good news is that it does not appear to be very advanced since a free decryption utility under the name StupidDecrypter has already been released and can be used to reverse the damage that the AnDROid Ransomware causes to the files. The StupidDecrypter is also compatible with some other low-quality pieces of crypto-threats like the DeriaLock Ransomware, the NullByte Ransomware and the EnkripsiPC Ransomware. Just like any other crypto-threat, this threat also targets a broad range of files such as documents, spreadsheets, presentations, backups, databases, images, file extension associated with Adobe products, etc. The AnDROid Ransomware marks all locked files by adding the ‘.android’ extension to the end of their names (e.g. ‘logo.psd’ will be renamed to ‘logo.psd.android’).
The presence of a free decryptor and hard-coded unlock code means that victims of the AnDROid Ransomware will be able to recover from the attack without paying money or contacting the attacker. The first action victims need to take is remove the screen locker by using the unlock code mentioned above. Next, they need to run a credible anti-malware utility that will identify and remove the AnDROid Ransomware’s components, therefore putting a stop to this threat’s harmful operations. Finally, the StupidDecrypter should be used to get all files with the ‘.android’ extension back to their normal state.