Another adult-themed Android ransomware hits the streets

Sep 10, 2015 21:37 GMT  ·  By

A new ransomware targeting Android users is being spread with the help of an adult-themed app named Porn Droid which, after infecting victims, goes on to change their lock screen PINs, asking for a $500 / €450 ransom.

Security researchers at ESET have identified a new version of the older Android/Lockerpin.A malware mainly distributed to Android users in the US.

This new strand infects users via apps installed from untrusted locations like torrents and third-party websites, outside of the official Google Play Store.

Once on the user's smartphone, the Android/Lockerpin.A uses the same sneaky technique of asking users for admin rights, while disguising as an update.

Not the first pornography-themed Android ransomware (this week)

The same technique was also observed by security researchers at Zscaler, with another pornography-themed Android app (Adult Player), which takes images of its victims and uses them in its ransom messages.

After receiving admin rights from the phone's owner, Android/Lockerpin.A then goes on to change the user's lock screen PIN, using a randomly generated number.

This number is not sent to the attacker at any point, which means that nobody can unlock the screen, even after the ransom is paid.

The only way of getting rid of the ransom message and take the phone out of the lock screen is to boot it in safe mode and uninstall the malware. As an alternative method, users can also use the Android Debug Bridge to remove the ransomware from their phones.

Once Android/Lockerpin.A is deleted from the phone, the problem of the "unknown" PIN still remains, which can only be solved by resetting the phone to factory settings.

Android ransomware is evolving, getting closer to the complexity levels of desktop strands

As ESET points out, Android ransomware is slowly evolving, and after a period when this kind of malware locked users out of their phones, the first strands of ransomware that encrypts users files, just like desktop ransomware, have started appearing.

The most notorious of this latter type is Simplocker, for which Check Point researchers have recently identified a new strand only a week ago.

A more in-depth look at the Android/Lockerpin.A ransomware variant can be checked out on ESET's We Live Security blog.

Android/Lockerpin.A. asking for admin rights
Android/Lockerpin.A. asking for admin rights

Android/Lockerpin.A mode of operation (3 Images)

Android/Lockerpin.A locks the user's screen with a random PIN
Android/Lockerpin.A. asking for admin rightsRansom message shown to users
Open gallery