I downloaded android-6-marshmallow.apk from
marshmallow-google(dot)com
(Warning, ransomware fake malware! Do not install!)
It was a fake application and I couldn't delete that because of the screen below, and I can't go pass through this screen.
How to remove it?
I will start this with the most funniest thing the malware developer did. The developer who created this malware with label Android 6.0 Marshmallow, version 6.0(6) and package name com.xtrlee.fiehan, didn't bother with an Activity or an overlay (was trendy) or with a lock screen (the latest trend as of now) either. They decided to employ a full screen Toast (you read it right). Here's what dumpsys window windows and dumpsys appops reported on Android 5.1 (tested on Android-x86).
That explains to me why the view was not constant but flickering.
Now, contrary to the permissions a typical ransomware would need, this malware comparatively didn't demand anything significant. The dangerous permissions it requested consist of listing out all the files available in your external storage (both internal and external SD card) and listing out device information, such as Android ID, IMEI and other information to uniquely identify your device.
The app is targeted at SDK version 21 (Android 5.0, not 5.1) and would work on Android 2.2 and above (the author must have planned to subdue the whole world). The user's data in my opinion would never be touched by this app as it didn't ask for the permission to write external storage.
As far as what I understood, the malware is definitely not a work of art. It has one main Activity which is responsible for showing the app's icon in app drawer. It also acts funnily. If you launch the app the very first time, the user would be shown a dialog to make it a device administrator. If you cancel the dialog, it would spawn again. However, if the user doesn't act under the next 10 seconds, the dialog is immediately dismissed and the main Activity is disabled. Automatic disaster aversion, so cool.
This is how that dialog looks like:
The rest of the components are various receivers which helps in device administration and starting the app once boot process completes.
So, you made a series of terrible mistakes and you think your data is held as hostage. What do you do to save the data and get rid of this supposed update-cum-ransom? Follow any of the approaches noted below:
Using adb and root access, you can find the apk under /data/app/, remove it and reboot the device. You can also achieve this from a custom recovery as well. Alternatively, with adb alone, you can force-stop the app.
adb shell am force-stop com.xtrlee.fiehan
If the above command doesn't help, in Android 5.1.x, you can have appops deny the malware permission to show the toast.
adb shell appops set com.xtrlee.fiehan TOAST_WINDOW deny
Use this window of opportunity to go to Device administrator settings and deactivate the ransomware. Post that, you should go into application manager and uninstall that malware.
If your device doesn't have USB debugging enabled, your only hope seems to be to boot into safe-mode. Fortunately, the app doesn't obstruct the power menu (not at least in Android 4.3 and above) so you can long-press Power button → long press Power off → tap OK when asked to reboot into Safe mode. Once the device boots into safe mode,
And that's how I removed that malware multiple times on this day.
If you're not a power user, do not venture into the unknown territory. This comes down to
Q & A