Security researchers have discovered what they believe to be the first Android PIN-locking ransomware targeting mobile phone users in North America.
LockerPIN sets or changes a device’s PIN lock, locks the screen and demands a $500 ransom. But the researchers at security firm Eset say that, if victims pay the ransom, the attackers cannot unlock the device, as the PIN is set randomly.
The news comes just days after researchers discovered a malicious Android app, Adult Player, that secretly takes photographs of users with the smartphone’s front-facing camera, locks the device and demands a ransom.
LockerPIN is spreading through unverified third-party app stores, warez forums and torrents. Based on Eset’s LiveGrid statistics, 75% of infected Android devices are currently in the US.
“This is part of a trend where Android malware writers are shifting from mostly targeting Russian and Ukrainian users to Americans where they can arguably make higher profits,” said Eset detection engineer Lukáš Štefanko.
After a successful installation, the Trojan malware tries to obtain device administrator privileges by overlaying the system message with its own window, masquerading as an update.
As the victims click through the innocuous-looking installation, they unknowingly activate the device administrator privileges in the hidden underlying window.
According to Eset, this tactic is becoming increasingly popular with Android attackers, as obtaining device administrator privileges makes it more difficult to remove any malware infection.
Even if the Trojan is removed, for unrooted devices that are not protected by a security system, there is no simple way to change the PIN.
The only way to change the PIN is by carrying out a factory reset – but this means that all data on the device will be lost.
The researchers said this represents an evolution of mobile ransomware because, in previous Android LockScreen Trojans, the screen-locking functionality was usually achieved by constantly bringing the ransom window to the foreground in an infinite loop.
While various self-defence mechanisms were implemented to keep the device user locked out, the researchers said it was not too difficult to get rid of the malware, unlocking the device by using Android Debug Bridge (ADB) or de-activating administrator rights and uninstalling the malicious application in Safe Mode.
Not only does LockerPIN acquire device administrator privileges in a novel and covert manner, the researchers said it also uses an aggressive self-defence mechanism to make sure it keeps them.
When users attempt to de-activate device administrator for the malware, they will fail – because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted, the researchers wrote in a blog post.
If a removal attempt is made, the device administrator window is again overlaid with a bogus window that lures victims into clicking a button that re-activates the malware’s elevated privileges.
As an extra layer of self-protection, the ransomware also attempts to kill running antivirus processes when the user tries to de-activate its device administrator rights.
In August 2015, Intel Security reported that samples of ransomware had increased 127% in the second quarter of 2015, compared with the same period in 2014, affecting mainly desktops and laptops.
“Ransomware attacks have become easier than ever to carry out because of crimeware services that provide attackers with user-friendly graphical user interfaces or consoles to customise attacks,” said Raj Samani, chief technology officer for Europe at Intel Security.
“No technical knowledge is required. All attackers have to do is fill in the email addresses they want to target and wait for the money to come rolling in,” he told Computer Weekly.
Samani said smartphone users can reduce the chances of being targeted by ransomware or other mobile malware by downloading apps only from official app stores.
Kevin Epstein, vice-president of advanced security and governance at Proofpoint, said that, as the trend towards mobile computing and bring your own device (BYOD) continues, malicious actors will exploit this vector, just as email and social media have been used for targeted attacks.
“Clearly, there’s a need for targeted attack protection for mobile,” he said, adding that users are now just as vulnerable on mobile devices as they are on desktops to social engineering and other techniques aimed at getting them to allow administrative rights.