Welivesecurity, ESET's online editorial outlet, has recently published an analysis of a new Android ransomware that is spreading within the United States.
The new malware, which the ESET team calls Android/Lockerpin.A, is in the same family as the previously reported ransomware that locked Android device screens. In the earlier versions, the screen would be locked by creating a loop code for the ransom screen to continually pop up, thereby "locking" the user out of the mobile device.
A good example is Android Defender, which disguised itself as a fake antivirus application, and Simplocker, which took the process a notch further and encrypted user files. Both were easily addressed by ADB (Android Debug Bridge) and through the deactivation of administrator rights, which allows the malware to be uninstalled in Safe Mode.
Android/Lockerpin.A, however, takes it to a whole new level and sets a new PIN lock for the phone by gaining access to the device's administrator rights. It can only do this after the user has downloaded and installed the malware that, as ESET reports, disguises itself as an app known as Porn Droid for viewing adult videos. The app is not available through Google's Play store but manages to find its way to mobile devices through third-party Android application databases.
When the malware is installed, it will prompt the user to update and patch the app in order for it to function. Unbeknownst to the user, however, the patch has already given the infection administrator privileges and will lock the device shortly after.
"After clicking on the button, the user's device is doomed: the Trojan app has obtained Administrator rights silently and now can lock the device—and even worse, it set a new PIN for the lock screen," noted Lukas Stefanko, a malware researcher for ESET.
The ransomware will then flash a fake FBI warning, which informs the user that the device has been locked due to the possession of suspicious files and use of prohibited pornographic portals. It also states that the device owner has been considered a criminal subject whose location and facial snapshots have already been uploaded to FBI's data center. The bogus warning also comes with a threat that if the user tries to disconnect, unlock or dispose of the device, the $500 fee, which it prompts be paid through some link aptly named "Payment Penalties," will be tripled.
After the warning has been displayed, Android/Lockerpin.A will then lock the device. The normal response would be to uninstall the malware, but the entity that wrote the codes for the ransomware has taken some notes from the previous strains. It has a registered callback function, which is an overlaid fake window that reactivates privileges whenever they are removed. It is also coded to protect itself from mobile antivirus applications, such as ESET, AVAST and Dr.Web.
Even if the malware is somehow removed, it still does not solve the PIN problem. If the user tries to reset the PIN, which is randomly generated and sent to the attacker, chances are the device would be locked for good.
The only real solution is either through resetting the phone to factory settings, which deletes everything stored in the phone, or if the phone is rooted, connecting to the device via ADB and removing the file that stores the PIN. Those who have mobile device management (MDM) solutions capable of resetting the PIN will also be able to unlock their phones without resetting to factory settings.