Symantec Security Claims Android Lockscreen Ransomware Using Pseudorandom Passcode to Ensure Victim Pays the Ransom.
Android Lockscreen ransomware has been around for quite some time now but the new version of these is far more powerful and resilient. Previously the ransomware used to lock the screen using a hardcoded passcode but experts were able to perform reverse engineering to provide the victim with the passcode so that they could unlock their devices. However, in the new version the attackers have made it impossible to reverse engineer the passcode since the ransomware uses pseudorandom passcodes. Due to this, the victims aren’t able to unlock their devices and are forced to pay the ransom.
Attackers have also equipped this new version with a custom lockscreen that is joined with the device’s lockscreen. This creates another problem for the victim. It must be noted that such Trojans are now being directly created on mobile devices prior to being distributed to unsuspecting users.
But what is Pseudorandom passcode?
When a device has been infected by this malware, it creates a custom System Error message window, which is pasted atop every visible user interface on the infected device. The malware also displays intimidating messages through this window asking the user to talk to the attackers to get the passcode.
The previous versions of Android Lockscreen ransomware hardcoded the passcode that would unlock the device in the sample’s code but the new version replaced it with a pseudorandom number. This means, pseudorandom passcodes are basically randomly generated numbers, which could be either 6 digit or 8 digit numbers. The figures presented below show both the 6 digit and 8 digit numbers.
The number that is randomly generated is different for every device since the base number is acquired with the “Math.Random()” function. It is important to note that the malware developers have fortified the threat by combining the pseudorandom passcode generation mechanism with a trick they have been using in the previous versions. That is, along with a customized lockscreen that is created through the System Error window, the device admin privileges are also used by the attackers to modify the PIN of the device’s normal lockscreen.
To mitigate the threat, Symantec suggests the following practices:
➢ Always update software
➢ Never download apps from unauthentic websites
➢ Always install apps from trusted websites/platforms
➢ Closely watch the permissions asked by the downloaded apps
➢ Do install a reliable mobile security app like Norton to keep your device and data secure
➢ It is a wise idea to always create a data backupSymantec Flickr/C_osett