- Oct 23, 2012
- 12,527
A previously unsophisticated Android ransomware that locks an Android device's screen has received new updates that make it impossible for security researchers to help victims to unlock their devices.
Android.Lockscreen was a simplistic Android ransomware that appeared in March 2015. For a long period of time, this threat operated by setting a custom PIN code and showing a message on the user's screen, asking him to call a number for technical support.
Users calling this number would be tricked into paying for expensive "technical support" and would then receive the device's new PIN code.
Previous Android.Lockscreen versions could be removed
Security researchers that took a look at this threat soon realized that the ransomware's source code included the PIN code used to locks devices.
For many months, it was easy for security researchers to take a look at the latest Android.Lockscreen samples and extract the PIN code, passing it on to infected victims.
But the crooks caught on to their own mistake, and in recent versions, they changed the mechanism through which they generate the PIN code.
Android.Lockscreen was a simplistic Android ransomware that appeared in March 2015. For a long period of time, this threat operated by setting a custom PIN code and showing a message on the user's screen, asking him to call a number for technical support.
Users calling this number would be tricked into paying for expensive "technical support" and would then receive the device's new PIN code.
Previous Android.Lockscreen versions could be removed
Security researchers that took a look at this threat soon realized that the ransomware's source code included the PIN code used to locks devices.
For many months, it was easy for security researchers to take a look at the latest Android.Lockscreen samples and extract the PIN code, passing it on to infected victims.
But the crooks caught on to their own mistake, and in recent versions, they changed the mechanism through which they generate the PIN code.
New versions use a pseudo-random PIN code
"Newer variants have eliminated the hardcoded passcode and replaced it with a pseudorandom number," Symantec's Dinesh Venkatesan writes. "Some variants generate a six-digit number and some generate an eight-digit number."
Android.Lockscreen now uses the Java Math.random() function to generate a pseudo-random number, which it sets as the device PIN code.
The ransomware is effective at locking the device only on older Android versions, prior to Google's Nougat release, which included protections to prevent calls for PIN/password resets from other apps, if the PIN was set by a user beforehand.
To prevent losing control over their Android smartphones, users should install apps only from trusted sources, like the Google Play Store, and pay attention to the permissions apps request upon installation. Android.Lockscreen, by the operations it needs to carry out, will require a lot of intrusive permissions, such as the ability to lock the user's screen, change device settings, and overlay messages on top of other apps