PIN-changing, screen-locking Android ransomware

“A sophisticated new piece of ransomware targeting Android users and locking them out of their devices by changing the PIN has been discovered by ESET researchers.

Masquerading as an app for viewing adult videos called “Porn Droid”, the LockerPin Trojan lurks on third party markets, warez forums and torrents. So far, the great majority of infected users are located in the US.

When users download and install the malicious app, the Trojan tricks them into giving it Device Administrator privileges by pretending it has to download and install an update/patch for the app.

“As the victims click through this innocuous-looking installation they also unknowingly activate the Device Administrator privileges in the hidden underlying window,” the researchers explained.

The Trojan is now free to lock the device and reset the PIN for the lock screen. It then shows a message, supposedly by the FBI, which asks victims to pay a $500 fine in order to regain access to the device, and warns them against attempting to unlock the device themselves:

This Trojan also employs some very clever protections against it being detected and uninstalled.

“When users attempt to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted,” the researchers pointed out.

“Similarly to when Device Administrator is first activated by the Trojan, if a removal attempt is made the Device Administrator window is again overlaid with a bogus window. Pressing Continue effectively reactivates the elevated privileges.”

Like many types of PC malware before it, LockerPin tries to stop mobile AV solutions from working.

According to the researchers, paying the ransom in this particular case will not get the victims anywhere, because after the reset, the new PIN is chosen at random, and the attackers do not know it.

“The only way to remove the PIN lock screen without a factory reset is when device is rooted or has a MDM solution capable of resetting the PIN installed. If the device is rooted then the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled otherwise its not possible (Settings -> Developer options -> USB Debugging),” they shared.

For instructions on how to do that, check out this blog post.”


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss