Tough Ransomware Targets Android

Friday, September 11, 2015 @ 03:09 PM gHale

The price of popularity in the security world means attacks continue to mount against the top players. Just look at Android.

There is a new sophisticated piece of ransomware that targets Android users and locks them out of their devices by changing the PIN, researchers said.

Zero Day Flaws in Browsers for Android
Google Patches Android Mediaserver Flaw
Android Stagefright Flaw Fixed, Again
Another Android Security Flaw

Masquerading as an app for viewing adult videos called “Porn Droid”, the LockerPin Trojan lurks on third party markets, warez forums and torrents, said researchers at ESET. So far, the majority of infected users are in the U.S.

When users download and install the malicious app, the Trojan tricks them into giving it Device Administrator privileges by pretending it has to download and install an update/patch for the app.

“As the victims click through this innocuous-looking installation they also unknowingly activate the Device Administrator privileges in the hidden underlying window,” the researchers said.

The Trojan is now free to lock the device and reset the PIN for the lock screen. It then shows a message, supposedly by the FBI, which asks victims to pay a $500 fine in order to regain access to the device, and warns them against attempting to unlock the device themselves.

This Trojan also employs some smart protections against detection which could end up uninstalled by the user.

“When users attempt to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted,” the researchers said.

“Similarly to when Device Administrator is first activated by the Trojan, if a removal attempt is made the Device Administrator window is again overlaid with a bogus window. Pressing Continue effectively reactivates the elevated privileges.”

Like many types of PC malware before it, LockerPin tries to stop mobile AV solutions from working.

On top of all of that, paying the ransom in this particular case will not get the victims anywhere, because after the reset, the new PIN ends up chosen at random, and the attackers do not know it, researchers said.

“The only way to remove the PIN lock screen without a factory reset is when the device is rooted or has a MDM solution capable of resetting the PIN installed. If the device is rooted then the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled otherwise it’s not possible,” the researchers said.