Over 1,000 users downloaded Lockdroid, but Google warned users in time to prevent them from installing the threat

Feb 15, 2016 16:34 GMT  ·  By
Google warned users just in time to prevent Lockdroid ransomware infections
2 photos
   Google warned users just in time to prevent Lockdroid ransomware infections

At the Security Analyst Summit (SAS 2016) held in Tenerife, Spain last week, Elena Kovakina, senior security analyst at Google, said no Android users have been fooled into installing the Lockdroid ransomware, IT PRO reports.

Cyber-security firm Symantec detected a new variant of the Android.Lockdroid ransomware towards the end of January.

Lockdroid is using a complex clickjacking trick to infect devices

This particular version was abusing an older UI feature that allowed the malware's author to show a secondary overlay on top of the screen that required admin privileges for the app infected with the Lockdroid ransomware.

When users were pushing a button that read "Continue" (on the top-most overlay), they were unknowingly pushing the "Activate" button shown underneath, as part of an attack scenario known as clickjacking.

This issue affected two-thirds of the Android userbase, which is over a billion users. More precisely, the issue affected those users using versions of the Android operating system prior to 5.0 (Lollipop).

Around 1,000 people downloaded Lockdroid-infested apps

Speaking at SAS 2016, Mrs. Kovakina told the audience that Google's built-in Verify Apps security system has detected and warned all users that downloaded Lockdroid-infected apps from third-party app stores.

The analyst said that nearly 1,000 Android users downloaded apps laced with Lockdroid, but none of the users went through with the installation, mainly because of Android's built-in warning system.

Google's Verify Apps feature was introduced in Android 4.2 and works by scanning all downloaded .apk packages for Potentially Harmful Applications, also known as PHAs.

"Google’s systems use machine learning to see patterns and make connections that humans would not," Google researchers describe this system. This includes scanning for threats in apps downloaded from both the Play store, but also from other sources.

Verify Apps will scan for known attack vectors and scenarios like phishing, rooting operations, ransomware, backdoors, spyware, harmful sites, SMS fraud, WAP fraud, call fraud, and others.

This security feature comes into action when trying to install apps from unverified sources and can be turned off. By default, Verify Apps comes enabled for all devices, and in this case, it seems that it may have helped thwart a dangerous ransomware campaign.

Lockdroid's clickjacking technique
Lockdroid's clickjacking technique

Photo Gallery (2 Images)

Google warned users just in time to prevent Lockdroid ransomware infections
Lockdroid's clickjacking technique
Open gallery