Types header





Short Description

The malware is most widespread in china and is most

probably the work of newbie Chinese teenage cybercriminals.


Unwanted pop-ups.

Distribution Method

Fake messages, 3rd party downloads






More Details

Most ransomware – lockscreens as well as crypto-ransomware -

demands a payment through pre-paid cash vouchers like MoneyPak

or MoneXy, or by Bitcoin, precisely for the reason that these payment

methods are virtually untraceable. However, hackers behind Jisut

took a whole different approach and doesn’t seem to care about its

anonymity. The ransomware nag screens include contact information

on the Chinese social network QQ and urge the victims to contact the

authors in order to get their files back. If the information in the QQ

profiles is valid, the malware operators are Chinese youths between 16 and 21 years old.

The first variants of Android/LockScreen.Jisut started appearing in the first half of 2014. Since then, we have detected hundreds of variants that all behave somewhat differently or display different ransom messages, but are all based on the same code template. The whole Jisut malware family is unlike any other known LockScreen ransomware. One of the working of this is to  create a full screen Activity (Android developer term for “window”). The full screen overlay is just a black background so the device appears as if it was locked or switched off. If the user brings up the menu to shut down or restart the device, a joke message will be displayed. Some samples feature a variation to the previous activity: they play music from the famous shower scene from Alfred Hitchcock’s Psycho, while vibrating the device in an infinite loop.

Another Jisut variant asks the user to click a button that says "I am an idiot" 1000 times. Nothing happens after the counter reaches 1000; it’s reset to zero and the frustrated user can continue clicking indefinitely.

In addition to the described silly behavior, most Android/LockScreen. Jisut variants also contain harmful functionality. Like Android/Lockerpin, they’re able to set or change the device lock screen PIN or password. Some variants don’t rely on the legitimate built-in Android lock screen functionality but display their own full-screen window mimicking the lock screen, as the police ransomware Android/Locker and Android/ Koler families do