Types header

Lockerpin Ransomware

Name

Lockerpin

Type

Locker Ransomware

Short Description

If a user becomes infected with this Android ransom-locker, the only way to remove the PIN lock screen is if the device was previously rooted or has an MDM solution installed that is capable of resetting the PIN. Otherwise, the last option is a factory reset, which deletes all data on the device.

Symptoms

User Lock screen  gets locked . The victim will not be ble to use the deivce until the ransom is paid.

Distribution Method

The malware has been spreading disguised as an app for viewing adult videos

Image

 

Locker Pin

 Locker Pin2

 

More Details

Unfortunately, with Android/Lockerpin, which we discovered in August 2015, malware writers have stepped up their game. If a user becomes infected with this Android ransom-locker, the only way to remove the PIN lock screen is if the device was previously rooted or has an MDM solution installed that is capable of resetting the PIN. Otherwise, the last option is a factory reset, which deletes all data on the device.

The technique that Lockerpin uses for locking the device is extremely simple – it leverages the built-in Android PIN screen locking mechanism. It is able to set a PIN on the device, or even change it if it was already set. It is able to do so, provided that the victim has granted the malicious app Device Administrator privileges.

The malware has been spreading disguised as an app for viewing adult videos

Earlier versions of the Android/Locker family obtain Device Administrator status in just the same way as all other Android trojans, which use them mostly as protection against uninstallation – they rely on the user willingly activating the elevated privileges.

After a specified time delay following the display of the ransom message, the PIN will be set (or changed) to a four digit number that’s generated randomly and not sent to the attacker. Some variants of Lockerpin have the functionality to remove the PIN lock by resetting it to a zero value. After a specified time delay following the display of the ransom message, the PIN will be set (or changed) to a four digit number that’s generated randomly and not sent to the attacker. Some variants of Lockerpin have the functionality to remove the PIN lock by resetting it to a zero value. After a specified time delay following the display of the ransom message, the PIN will be set (or changed) to a four digit number that’s generated randomly and not sent to the attacker. Some variants of Lockerpin have the functionality to remove the PIN lock by resetting it to a zero value

Lockerpin’s aggressive self–defense Not only does Android/Lockerpin acquire Device Admin privileges in a novel and covert manner; it also uses an aggressive self-defense mechanism to make sure it keeps them. When users attempt to deactivate Device Admin for the malware, they will fail because the trojan has already registered a call-back function to reactivate the privileges immediately after removal is attempted. Similar to when Device Administrator is first activated by the trojan, if a removal attempt is made, the Device Administrator window is again overlaid with a bogus window Pressing Continue effectively reactivates the elevated privileges.

As an extra layer of self-protection, the ransomware also attempts to kill running AV processes when the user tries to deactivate its Device Admin rights.