New Android Malware Changes PIN Code and Demand Ransom

Android users need to be highly careful while using your smartphone as ESET researchers have identified simplocker, a new screen-locking malware that specifically targets users in the United States.

This new ransomware is the first one that is capable of changing a smartphone’s PIN lock, which is one of the phone’s security code.

The Android LockScreen Trojans that have been identified previously by researchers attempted to acquire screen locking functionality by opening a ransom window in the foreground. This window goes into an infinite loop along with implementing an array of defense mechanisms that keep the device locked.

However, according to a blog post by ESET, this method proved to be unsuccessful because users were able to unlock their devices easily using the Android Debug Bridge/ADB or alternatively, by disabling Admin rights and deleting the Trojan in Safe Mode.

The difference with this new ransomware called Android/Lockerpin.A is that it evades the option of removal by preventing users from regaining access to their device if no security solution or root access exists on the phone.

Post installation, the primary objective of this malware is to get Device Administration rights through deceiving users into accepting an “Update Patch” installation. This alleged update tricks users into going through the process of enabling the Device Administrator privileges of this malware, which otherwise remain hidden.

When the user clicks on “Continue” button, the malware locks the device and resets the PIN Code thereby locking the screen of the phone.

It immediately displays a warning that seems to be issued by the FBI (citing storing of forbidden pornographic content on the device) and compels users to pay $500 as ransom amount.

Image Credit: ESET.
Image Credit: ESET.

Though the device has already been locked, it is possible to uninstall Android/Lockedprin.A. This can be done in SAFE Mode or through an ADB so that the PIN gets changed. However, this doesn’t let them regain control of their phone at all and to acquire such authority users require root privileges.

Lukas Stefanko from ESET explains:

“After having reset the PIN, however, neither the owner nor the attacker can unlock the device because the PIN is generated randomly and not sent to the attacker. The only practical way to unlock is to reset to factory defaults.”

An aggressive self-defense mechanism is utilized by this malware to recall the Device Admin rights in case the user has attempted to deactivate them.

Furthermore, after removing the Trojan, the Device Administrator window gets overlapped with a fake window that reactivates the raised up privileges effectively.

Furthermore, after removing the Trojan, the Device Administrator window gets overlapped with a fake window that reactivates the raised up privileges effectively.

Moreover, this malware is equipped with additional self-defense functions. It can remove any anti-virus software installed on the device and also monitors com.android.settings to avoid uninstallation.

This malware is not being distributed through Google Play but via third party markets, torrents and warez forums. Users download it believing it to be just another app for viewing adult videos.

Last week, security researchers discovered another ransomware scam hidden behind fake pornography app on Google Play store. So be careful before downloading any android app.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.