CISOs need to spread a warning to Android users on staff that a new screen-locking ransomware is spreading, according to researchers at security vendor ESET.
Dubbed Android/Lockerpin.A, the malware randomly resets any PIN screen lock the user has set to ensure security. And while the attackers send a phoney FBI warning users are being fined US$500 for viewing pornography, the ransom is a hoax: Even if you pay it the device can’t be unlocked because the malware creates random PIN numbers that the attackers don’t have.
In a blog the company says “users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.” The malware also preserves Device Administrator privileges so it can prevent uninstallation.
How is it spread? So far, by users downloading an app called Porn Droid for viewing video from porn sites. It can be prevented by urging employees not to go to porn sites, and to only download Android apps from Google Play or completely trusted sites.
After a successful installation, Lockerpin.A tries to covertly obtain Device Administrator privileges. An activation window is overlaid with the Trojan’s malicious window pretending to be an “Update patch installation.” As the victims click through this innocuous-looking installation, ESET says, they also unknowingly activate the Device Administrator privileges in the hidden underlying window.
Users know they’ve been nailed if the see this screen:
The user can uninstall the malware either by going into Safe Mode or using Android Debug Bridge (ADB). However, after any ransom activity the PIN will be reset and neither the owner nor the attacker can unlock the device except to reset to factory defaults – if device is not rooted.
Based on ESET customer statistics, most of the infected Android devices so far (over 75 per cent) are in the U.S. This backs up a trend where Android malware writers are shifting from mostly targeting Russian and Ukrainian users to largely targeting victims in America, the vendor says, where arguably they can make bigger profits.