Exterminator

Community Manager
Verified
Staff member
A new ransomware family targeting Android devices is abusing an older UI feature to hijack user clicks and root the device, giving itself full access to encrypt the user's files and then lock his screen.

This new ransomware strain, discovered by Symantec's team and named Android.Lockdroid.E is currently distributed via an adult-themed app called "Porn ‘O’ Mania."

The app is only available from third-party stores, and should not affect users that only use the Google Play Store to install applications that have been reviewed and approved by the Google team.

Lockdroid uses a clickjacking technique to root the device
The most interesting thing about this ransomware family is how it abuses an older Android feature to install itself.

Any Android application that is going through the installation procedure needs to be reviewed by the phone's owner and manually approved. Like most ransomware families, Lockdroid tries to disguise itself using fake messages that use misleading descriptions.

If the user is careless enough and the ransomware goes beyond this step, this is where Lockdroid employs a clickjacking technique and overlays another popup on top of the subsequent modal window that asks for admin privileges.

This second popup is actually an error message (TYPE_SYSTEM_ERROR) which older Android versions allowed to appear on top of the window that asks for permissions.

This popup is also cleverly designed to look like an intermediary screen that tells the user the he has just approved is currently installing itself and may take a while. Eventually, the content of this second popup will show the "Installation is complete" message, and activate a "Continue" button.

This button is perfectly overlaid on top of the "Activate" button found underneath it, in the modal window that requests administrative privileges. Pressing "Continue" will inadvertently press the "Activate" button as well, and release the ransomware in full force onto your phone.

Lockdroid blackmails users with their browsing history
Once it gets root privileges, Lockdroid will start encrypting the user's files and collecting his contacts list.

When everything has finished, the ransomware uses its administrative permissions to push a permanent message to the user's screen, asking the user to pay a ransom to recover his encrypted files.

To make the threat more convincing, the Lockdroid ransomware also threatens the user to pay the ransom or it will send all his browsing history to all his contacts.

Lockdroid is playing on everyone's fear to have their private life exposed, especially to their friends. A similar tactic was employed by the Chimera ransomware back in November, when it threatened victims to upload their files to an online server.

Two-thirds of Android users are affected
The good part is that the ability to show secondary popups on installation screens has been removed starting with Android 5.0 (Lollipop).

This means that users running the most recent version of the Android OS are safe because Lockdroid won't be able to use the clickjack technique to install itself, and must rely on gullible users actually clicking the proper button, which may sometimes raise questions about the app's intentions.

The bad news is that two-thirds of the Android ecosystem is still running older versions of Android, where this clickjacking technique can be used without users ever suspecting a thing.
 

DracusNarcrym

Level 19
Verified
I fail to understand how releasing one's browsing history to the public can significantly add to the overall threat of having one's files encrypted and utterly inaccessible...

If this is not an "overkill" ransomware case, then I'll just call it a case of "bloat-ransomware". :D
 
Top