A new Android ransomware family sets unlock password on devices

Ransomware is one of most prolific cyber threats to criminal ecosystem and according to security firms cyber gangs are increasing use the malicious code improving its capabilities with new features. Recently, experts at Doctor Web security firm have detected a new strain of Android ransomware  which is equipped with a wider array of innovative features. In addition to locking a smartphone and demanding a ransom, the Android ransomware is able to set a screen unlock password by enabling a standard system feature. According to the experts the Andorid ransomware is also able to send short messages, a feature that could be exploited by bad actors to call SMS premium services.

The threat actors spread the Android ransomware, dubbed Android.Locker.38.origin, masquerading it as a system update, during the execution it requests access to the device’s administrative features and mimics update installation.

“This Android extortionist is spread in the guise of a system update. When launched, it requests access to the device’s administrative features. After that the Trojan mimics update installation, removes its icon from the home screen, reports back to a remote server that the infection has been successful and awaits further instructions.” states the blog post from Doctor Web.

In a similar way to other ransomware, Android. Locker. 38. origin, when launched will lock the infected device and will demand a ransom to unlock it. The command to lock the targeted device can be sent via an SMS message containing the directive set_lock as well as via a JSON request from a web server.

The experts noticed another singular behavior in the ransomware that distinguish it from other malicious code used in extortion schema, if the affected user still tries to delete the extortionist by depriving it of administrator privileges, Android.Locker.38.origin engages a supplementary lock.

The Android ransomware is able to switch the infected device into the standby state mode by using the standard phone feature to lock the screen. The Android ransomware once turned off the lock screen, proposes a fake warning message to the victim to inform it that all the data stored in the smartphone has been removed. Once victims chose the action, the malware proposes again the lock screen and activates a feature that requires the user to enter a password to toggle off the standby mode.

“Once a selected action is confirmed, the ransomware brings up the lock screen again and activates a feature that requires the user to enter a password to toggle off the standby mode.” “Even if the feature hasn’t been used before, the malicious locker sets its own password: “12345”. Thus, the infected smart phone or tablet is locked until the criminals involved get their ransom (the lock can be removed with the set_unlock command) or the user resets all the device’s settings to default.” states the post.

Once again, let me recommend you to install a defensive software on your mobile device to avoid to be infected by such malicious programs.

Pierluigi Paganini

(Security Affairs – Android. Locker. 38. origin, ransomware)