Android/Lockerpin.A ransomware holds victims hostage by changing their PIN
The latest ransomware to hit Android users attempts to force victims into coughing up $500 by changing the PIN used to lock the device. Disguising itself as a system patch and then a message from the FBI suggesting that 'forbidden pornographic sites' have been viewed, the Android/Lockerpin.A malware differs from previous examples of ransomware that encrypted data.
The malware is impossible to remove without root access or by performing a factory reset. An interesting feature of the PIN change is that even the attacker is unware of what the new code is -- handing over money really makes no difference. But also worthy of note is the way in which Android/Lockerpin.A manages to gain Device Admin privileges.
Lukas Stefanko from security firm ESET explains that the ransomware initially appears as a software patch featuring a Google logo. Anyone agreeing to 'install' the update -- as many people will -- unwittingly grant the malware administrative rights so it is free to do just about anything, and that includes changing the PIN. Android/Lockerpin.A goes a step further, making sure that it is all but impossible to retract these privileges:
When users attempt to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted.
In addition to this, Android/Lockerpin.A blocks deletion and attempts to kill antivirus software that may be installed. At the moment the ransomware is found primarily in the US, often in the guise of porn video app called Porn Droid. The malware is not, currently, found in Google Play, but is distributed through third-party sites, torrents and warez outlets.
If you fall victim on a rooted device, you are in (some) luck. Stefanko reveals how to remove the changed PIN:
The only way to remove the PIN lock screen without a factory reset is when device is rooted or has a MDM solution capable of resetting the PIN installed. If the device is rooted then the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled otherwise it’s not possible (Settings -> Developer options -> USB Debugging). Users can use the following set of commands to unlock the device:
- > adb shell
- > su
- > rm /data/system/password.key
After running the above commands, the PIN or password lock screen will be removed and the user can get to the device.
On unrooted devices, however, a reset involving a loss of data is the only other option.
Photo credit: Paket / Shutterstock