Lockerpin Android ransomware takes the money and runs


— 9:18 AM on September 11, 2015

Researchers from ESET are warning US Android device users about a new strand of ransomware called "Android/Lockerpin.A." As the name implies, this particular nasty will lock the device with a random PIN, making the device useless without performing a factory reset, gaining root access, or using some sort of device management utility. Users are told they can pay the attackers $500 to unlock their device, but paying up actually won't help at all.

The malware comes in the form of a fake "Porn Droid" app, which isn't available in Google's Play Store. Users can obtain it in third-party app markets or piracy sites, though. After the victim installs the app, an "Update patch installation" prompt appears, with only a single "Continue" button. This is where the malware uses a novel mechanism—the text and window header are actually an overlay concealing the Device Administrator permissions dialog.

If a user clicks the "Continue" button, they're SOL. The malware first displays a fake warning from the FBI that claims there's forbidden porn on the device, and it demands payment of a $500 "fine." No matter what the user chooses to do at this point, the device will be locked with a random PIN which is not sent to the attacker, so paying the ransom is useless. Uninstalling the app via Safe Mode or Android Debug Bridge won't help, as the malware will display a dialog warning that the "operation is forbidden." And guess what—it's another overlay over the Device Administrator permissions dialog that will cause those permissions to be granted to the badware again. The app also tries to kill any anti-virus processes when the uninstallation is attempted.

According to ESET, roughly 75% of the devices affected by this malware are in the United States, a fact which leads the researchers to believe that attackers are targeting users with bigger wallets, shifting away from the usual Russian and Ukrainian targets.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.