Android FBI Virus - Although It Is Just Malware

by Downunder35m in Circuits > Computers

1267 Views, 6 Favorites, 0 Comments

Android FBI Virus - Although It Is Just Malware

FBI-Prism-Virus-Removal-On-Android-Phone.jpg

This will be just a short one with no images or links as it is not really required.

You might not want to admit to any wrong doing, so I am not saying you did ;)
But jokes aside the so called FBI Virus usually lands on a device once you checked a website you should not have checked or clicked on something that popped up.

What happened?
Simply put a malware program got installed in such a way that nagging pop ups will block your phone.
To make things worse the bottons won't work either.
Only thing left is a full shut down by holding the power button.

Is my phone or data lost?
Sadly it is, well at least if you don't want to get rid of this nasty bugger.
So far this malware has only blocked users from accessing their phone the easy way but it can not be ruled out that upcoming versions won't do serious harm
That means nothing it lost on your device and you will get it all back.

How to get rid of the FBI crap?
Although pretty straight forward the details will vary from device to device.
That might be one of the reasons why most info on the web you find through Google will give you utterly useless help.
Oh did I mention? Don't PANIC!
Here is what you might find on the web and which is utterly useless for the newer editions of the FBI Virus:
Download malware- virusscanner blah blah and it will remove the virus.
This won't work as you don't even get the chance to do it or to start the program so it can do it's job.

Download app blah blah and run with admin rights to remove all files linked to the virus.
Won't work either for the above reasons and usually only gives you more malware to deal with.

Make a backup, firmware reset and put the backup on the device again.
Sure, this always works but most of the time the user won't have a current backup made or no clue how to put it on a device that is blocked.

For me the problem was that a friend dumped a phone I did not even know exists and asked if I could help.
But that helps you now as I can point the differences and what you need to look for :)
Ok, let's fix the thing, shall we?
1. Turn off your phone and get into "Safe Mode".
This is done in many different ways depending what device and Android system you use.
Common ways to get into safe mode:
In the shutdown menu tap and hol the shut down button until you see the options menu where you can also restart into safe mode.
During startup by holding down the volume buttons in various combinations, either alone or together with the home button.
Last not least by tapping on menu soft key continously from the moment you pressed the power button until the device is fully booted (or you see the safe mode water mark in the bottom left corner).
One of those ways should work, but if in doubt ask my friend Google for specific info on how to enter the safe mode on your Android/device combo.
2. Go into the application manager.
Scroll into the "All" tab.
Delete suspicious apps that you have never seen on your phone - read on before deleting!
The early version were really easy to spot as usually "Flash player" was used - there is no flash player on Android systems, at least not by default and never working properly anyway.
The newer versions dsguise themself a bit better, for example as video player, image viewer or similar.
So if you find a player/viewer you don't know about, did not install then there is a good chance that's the one.
The version I got tried to hide as "System Update" with the usualy gear sprocket icon - again there is no app for system updates with this name and icon on normal Android systems.
Once you think you got the right app you clear the app cache, delete data, force stop, uninstall.
Double check though that you really only kill the app you want to kill and not just delete whatever you don't know!
There are also all vital system apps listed and of course they should be left alone!
3. Restart your phone to confirm the malware is gone.
If you still get the nagging screen after a few seconds of use it means you did not delete the app containing the virus.
Sometimes this virus comes with another app, so if it all happened after you installed something new - delete the new stuff!
4. Now that the phone is working again get a virus scanner to prevent this from happening again.
There is plenty to choose from but you should stick to know names from the playstore with good reviews and not use something unknown that just looks fancy.
And although most good scanners will offer you purchses, the basic protection and removal of malware is free, so don't fall for programs that can only cure your device after paying money.
The key is to prevent harmful code from being installed in the first place, so asking for money once it happens is like the original scam IMHO...

More Confusion Thanks to the Filenames....

I noticed that even the current versions of this FBI hoax use different filenames for the actual app doing the harm.
Apart from the mention "system update" it was also spotted as add-on or update for popular games.
To make things worse it seems that during the infection it is checked what is actually installed on the device and to base the filename and icon on that.

If you do have a custom recovery installed it is best to do a full backup of your phone.
Without it you can still use the backup functions as offered to backup all personal data and installed programs.

First off, there might be still a little chance that you can get the Avast Malware removal tool installed.
You can find it in the playstore and you have to follow the procedure as explained there.
This means "installing" it remotely from a PC or laptop.
For this work with a slight chance of success you need to know your Google credentials as used for your account and playstore on the device!
Before you start this turn the affected phone off!
Once you see on the PC it is installed you turn on the phone and hope it installs fast enough so you tap on the icon in the notification bar.
This does not always work but some phone do keep this info in the notification bar - which means you can try again after a restart.
In my experience with the lates version of the virus it is not fast enough so you won't see the result of the scan and you won't be able to confirm the deletion of the infected files.
Plus in most cases it also requires a rooted device as the virus is often disguised as a system app which means root acces is required to undo the modifications to the startup files.
But it is worth a try as it might save a lot of time if it works for you.

Ok, you tried your best to find the culprit in the application manager but all seems to be ok.
Now it is time for the mentioned backup, not really for your personal data and images but for installed programs and settings, but read on please...
Unless you are willing to perform a full factory wipe and restore your backup (without the FBI malware) you can still do a manual clean.
If you can browse you backup for programs and apps it is a bit easier but the procedure goes like this:
Clear cache, delete data, force stop, uninstall - for all programs and things you installed or agreed to on the day the indection happend.
As it often happens through a browser you might not have to much to uninstall at this point.
Keep an eye out for all icons and apps that you never noticed in your menu - they are prime candidates to remove first.
After each uninstall test if you got the right one by restarting the phone, if the malware is still present repeat with the next candidate.
In case you can't find anything that works check the installed games and apps that did not come with your firmware by default - that where you need the backup if you want to keep your progress and other things.
Again, if no success move on to the next - you can recover all that was innocent in one go at the end from your backup.

Done all that but the phone still blocks me out!
I said Don't PANIC! didn't I ? ;)
It only means that your version of the FBI "virus" is hiding under something less obvious and less suspicios.
So far it seems the FBI virus does not use system files to hide, so everything with the green Andoird icon indicating important system files should be clean.
This leave you with everything that is not, like widgets you have never seen, tiny apps you never saw in the menu before and all things that should not be listed in the application mager - like system settings, updates, flash- and video- audio players you did not install (and that did not come with Android itself)...
You have to use quite some common sense now when killing apps you don't know anything about but at this stage it is the only manual way of cleaning left - apart from a full wipe.
My best suggestion is:
1. Leave all things with the green Android icon untouched.
2. First kill, one by one with test between, all apps that still make little to no sense to you.
3. Continue the same way with wigets and other things.
4. Sooner or later you will hit the jackpot ;)
5. You need to check if some of the deleted apps now cause any problems.
In most cases this won't be the case but there is a chance it does, if too bad please perform a factory wipe and install your backup but only include those apps you know.